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Abstract. Program transformations are widely used in synthesis, optimization, and maintenance of soft- 
ware. Correctness of program transformations depends on preservation of some important properties of the 
input program. By regarding programs as Kripke structures, many interesting properties of programs can 
be expressed in temporal logics. In temporal logic, a formula is interpreted on a single program. However, 
to prove correctness of transformations, we encounter formulae which contain some subformulae interpreted 
on the input program and some on the transformed program. An example where such a situation arises is 
verification of optimizing program transformations applied by compilers. 

In this paper, we present a logic called Temporal Transformation Logic (TTL) to reason about such 
formulae. We consider different types of primitive transformations and present TTL inference rules for them. 
Our definitions of program transformations and temporal logic operators are novel in their use of the boolean 
matrix algebra. This results in specifications that are succinct and constructive. Further, we use the boolean 
matrix algebra in a uniform manner to prove soundness of the TTL inference rules. 

Keywords: Program transformations; Temporal logic; Compiler verification; Boolean matrix algebra 



1. Introduction 

Program transformations are widely used in synthesis, optimization, and maintenance of software. Correct- 
ness of program transformations depends on preservation of some important properties of the input program. 
By regarding programs as Kripke structures, many interesting properties of programs can be expressed in 
temporal logics |Pnu77j . In temporal logic, a formula is interpreted on a single program. However, to prove 
correctness of transformations, we encounter formulae which contain some subformulae interpreted on the 
input program and some on the transformed program. The proof systems for temporal logics M I '!) 1 1 IPK02] 
are therefore not sufficient to prove correlations of temporal properties across program transformations. In 
this paper, we present a logic called Temporal Transformation Logic (TTL) to reason about such formulae. 
Our study of this logic is motivated by an interesting application in the area of compiler verification. 
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A compiler optimizer analyzes a program and identifies potential performance improvements. An optimized 
version of the program is then obtained by applying several transformations to the input program. However, 
a mistake in the design of an optimizer can proliferate in the form of bugs in the softwares compiled through 
it. It is therefore important to verify whether an optimization routine preserves program semantics. Proving 
semantic equivalence of programs is usually tedious. The complexity of proofs can be conquered by taking 
advantage of the fact that optimizations with similar objectives employ similar program transformations. 
This observation lead to identification of transformation primitives and their soundness conditions |KSK07j . 

A transformation primitive denotes a small-step program transformation that is used in many optimizing 
transformations. These primitives can be used to specify a large class of optimizations by sequential com- 
position. The soundness condition for a transformation primitive is a condition on the input programs to 
the primitive which if satisfied implies that the transformed program is semantically equivalent to the input 
program. This approach reduces proving soundness of an optimization to merely showing that soundness 
conditions of the underlying primitives are satisfied on the versions of the input program on which they are 
applied. This is much simpler than directly proving semantics preservation for each optimization. 

Program analyses that arc used for identifying optimization opportunities and the soundness conditions 
of the transformation primitives are global dataflow properties. These properties can be either forward, 
backward, or more generally bidirectional [DK93 . Further, these can be classified as may or must properties 
depending on whether they are defined in terms of some or all paths originating (for forward analyses) or 
terminating (for backward analyses) at a node. These properties can be expressed naturally in a temporal 
logic called computational tree logic with branching past (CTLb p ) KP95j- CTLb p formulae are state formulae 
and thus application points for program transformations can be identified by models of CTLbp formulae. 

A program analysis used in an optimization is interpreted on the input program. However, the input 
program is transformed step-by-step and hence the soundness condition of a transformation primitive is 
interpreted on the version of the input program to which it is applied. Thus to prove soundness of an 
optimization, we need a logic to correlate temporal properties of programs across transformations. Program 
transformations are used widely in various software engineering activities like program synthesis, refactoring, 
software renovation, and reverse engineering VisOfj. Temporal logic is known to be a powerful language for 
specifying properties of program executions. We therefore believe that TTL will also be useful in verification 
problems arising in these domains. 

A program transformation may involve changes to the control flow graph (structural transformation) and 
to the program statements (content transformation). In general, if we consider arbitrary big-step transfor- 
mations resulting in diverse changes to the input program, we may not be able to correlate any interesting 
temporal properties across them. We therefore present inference rules for the (small-step) transformation 
primitives. A larger transformation is expressed as a sequential composition of such primitives. A correlation 
between temporal properties of its input and output programs can be inferred by using the rules for the 
component transformations on intermediate versions of the program. 

The semantics of temporal operators is usually defined in a relational setting by considering transitive 
closure (paths) of the transition relation (edges) of a Kripke structure. We make novel use of the boolean 
matrix algebra to define temporal logic operators and also the primitive program transformations. The 
definitions are succinct and facilitate algebraic proofs of soundness of the TTL inference rules. Further, the 
definitions are constructive and can be evaluated directly. The choice of boolean matrix algebra thus enables 
both verification and translation validation of compiler optimizations [KSK06, KSK071 iKKSj . 

Related work 

Temporal logic has been used for specifying dataflow properties. In (Sch98, SS98 , Schmidt et al. propose 
that static analysis of a program can be viewed as model checking of an abstraction of the program, with 
the properties of interest specified in a suitable temporal logic. In the recent literature on verification of 
compiler optimizations L JWF02 , Fre02 , LMC03 , conditional rewrites are proposed as a means for specifying 
optimizing transformations. The enabling condition of a rewrite is defined in a temporal logic. However, unlike 
our approach [KSK07] . they do not use the temporal logic in verification. The verification is performed by 
proving semantic equivalence of programs by induction on length of program executions. 

Kripke structures serve as a natural modeling paradigm for system specification when the properties of 
interest are temporal in nature. Simulation relations |Mil71 , Nam97 make it possible to correlate temporal 
properties between Kripke structures and are used to show refinement or equivalence of system specifications. 
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Transformations of Kripke structures arise in state space reduction techniques |Par8 11 IFV991 IBdS931 IHHK95] 
where a Kripke structure is transformed to a (bi)similar Kripke structure with less number of states. Model 
checking certain formulae over the reduced Kripke structure is equivalent to model checking the formulae 
on the original Kripke structure. In order to prove soundness of the TTL inference rules, we also construct 
simulation relations between programs (seen as Kripke structures). However, unlike the usual set-based 
formulation of simulation relations, we present boolean matrix algebraic formulation. This enables us to 
prove correlations of temporal properties between programs (Kripke structures) in a completely novel boolean 
matrix algebraic setting. 

Boolean matrix algebra or more generally, modal algebra, has been used for defining semantics of modal 
logic operators !Tho721 IBdRVOi] . The boolean algebra is used for modeling propositional logic and the 
boolean matrix algebraic operators are used for capturing different modalities. In |Fit03j . Fitting develops a 
modal algebraic formulation of bisimulation in modal and multi-modal setting. Our definitions correspond 
to frame bisimulations in Fit03 . However, our approach is constructive, that is, for each type of primitive 
transformations, we show that a simulation relation of a certain nature exists between a program and its 
transformed version under the primitive transformation. To the best of our knowledge, our definitions of pro- 
gram transformations and proofs of soundness of correlations of temporal properties across transformations 
is the first approach which makes use of the boolean matrix algebra in this setting. 

Temporal logic model checking is an algorithmic technique of checking whether a model satisfies a tem- 
poral logic formula (cf. |CGP00j ). The validation of individual program transformations can be achieved by 
model checking a specified property on the input program and (with possible renaming of atomic propo- 
sitions) also on its transformed version. For translation validation of compiler optimizers, model checking 
can be used effectively [KSK061 IKKSj . In this paper, we address the problem of proving preservation of 
temporal properties for all possible applications of a transformation primitive. In temporal logic, a formula 
is interpreted on a single program and therefore the proof systems for temporal logics [MP91, PK02] are not 
sufficient in this setting. 

Outline 

In Section [21 we motivate the need for a logic like TTL through an application to verification of compiler 
optimizations. In Section [31 we define several primitive graph transformations which are used in Section 2] 
to define primitive program transformations. In Section we define the notion of transformations of Kripke 
structures and model program transformations as transformations of Kripke structures. The syntax, seman- 
tics, and inference rules of TTL are presented in Section [6] The proofs of soundness of the TTL inference 
rules are derived in Section [7] In Section [SI we present the conclusions. 

2. Motivation: Verification of compiler optimizations 
Specification scheme 

Consider the formal specification of common subexpression elimination (CSE) optimization given in Figurc[T] 
We use PVS (Prototype Verification System) OSRSC99 to develop, validate, and verify formal specifica- 
tions of optimizations. In this paper, we explain the CSE specification intuitively without giving details of 
the PVS specification language. The specification defines both, the program analysis and the optimizing 
transformation. In Figure Q] prog is a program and e is an expression in prog. A function that defines a 
program analysis returns a boolean vector (whose type is a column matrix mat) such that the boolean value 
corresponding to a program point denotes whether the property holds at the program point or not. We 
explain the CSE specification with an example optimization shown in Figure [2] 

The functions Transp, Antloc, and Comp define local dataflow properties i.e. the dataflow information that 
depends only on the statement at a program point. An expression e is Transp at a program point if none of its 
operands are modified at the program point. An expression e is Antloc at a program point if the expression 
is computed at the program point. If an expression is both Transp and Antloc at a program point then it is 
Comp at the program point. For brevity, we do not give the definitions of these local dataflow properties. 
For the definitions, we refer the reader to |Kan07j . For progl in Figure [U the expression a/b is Transp at all 
the program points, and is Antloc and Comp at program points 2, 3, and 5. 
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Avail(prog, e) : mat 


= Comp(prog, e) 


Red und( prog, e) : mat = 


= Antloc(prog, e) * AY(prog'cfg, AS(prog'cfg,Transp(prog, e),Avail(prog, e))) 


OrgAvail(prog, e) : mat = 


= Avail(prog.e) — Redund(prog.e) 


CSE_Transformation(progl 


e): Program = 


IF member(e,Expressions(progl)) A BASE?(e) THEN 


LET nl = 


length(progl'cfg'T), 


orgavails = 


OrgAvail(progl, e), 


m = 


Countls(orgavails), 


redund = 


Redund (progl, e), 


new/points = 


append(zerol(nl),onel(m)), 


prog2 = 


IP(progl, orgavails, newpoints), 


t = 


NEWVAR(prog2), 


prog3 = 


IA(prog2, newpoints, t, e), 


orgavails3 = 


append (orgavails,zerol(m)), 


prog4 = 


RE(prog3, orgavails3, e, t), 


redund4 = 


append (red und,zerol(m)) 


IN 


RE(prog4, redund4, e, t) 


ELSE progl END IF 





Fig. 1. A specification of common subexpression elimination optimization 
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Fig. 2. An example of common subexpression elimination optimization 



The function Redund defines a global dataflow property i.e. the dataflow information that depends on the 
statements along the paths ending or starting at a program point. We specify global dataflow properties 
using CTLbp. The functions AY and AS respectively denote the universal predecessor and the universal since 
CTLbp operators. Since an optimization transforms a program step-by-step, we have different versions of the 
input program. Thus, in the PVS specifications, we pass the control flow graph of a program (denoted as 
prog'cfg) that a CTLbp operator is interpreted on as a parameter to the function. However, in the latter part 
of the paper, we follow the usual convention where temporal operators do not take a model as a parameter. 

A program point satisfies the Redund property if (1) the expression e is Antloc at a program point and 
(2) from all its predecessors, the expression is Transp along all incoming paths, since it is Avail. The origins 
of availability (OrgAvail) are the program points where the expression is Comp but not Redund. For progl in 
Figure [21 the expression a/b is Redund at program point 5 and it is OrgAvail at program points 2 and 3. 

The function CSE_Transformation is an optimizing transformation i.e. it takes an input program and possi- 
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bly other parameters, and applies several primitive transformations to the input program. CSE_Transformation 
is defined as the following sequence of transformations: 

1. Transform progl to prog2: Insert a predecessor (IP) each to the program points that satisfy the OrgAvail 
property in progl. In Figure [21 program points 8 and 9 are the new predecessors to program points 2 and 
3. Due to space constraints, prog2 and prog3 (a transformed version of prog2) are represented as same 
programs in Figure [5] In prog2, program points 2 and 3 contain skip statements. The statements shown 
at program points 2 and 3 are obtained by the next transformation. 

2. Transform prog2 to prog3: Let t be a new variable. Insert an assignment (IA) t := e at the new program 
points introduced in the first transformation. In Figure [51 the assignment t := a/b (where t is a new 
variable and a/b is the expression under consideration) is inserted at program points 8 and 9. 

3. Transform prog3 to prog4: Replace the occurrences of e at the program points that satisfy the OrgAvail 
property in progl by t. In Figure [21 the computations of a/b at program points 2 and 3 are replaced by t. 

4. Transform prog4 to prog5: Replace the occurrences of the expression (RE) e at the program points that 
satisfy the Redund property in progl by t. In Figure [21 the computation of a/b at program point 5 is 
replaced by t. 

In Section^ we explain the definitions of the transformation primitives: insertion of predecessors (IP), 
insertion of assignments (IA), and replacement of expressions (RE). An extensive set of transformation 
primitives is defined in Ka n07j . 



Soundness conditions 

Consider an application of RE : RE(prog,points,e,v). It returns a transformed version of the input program 
prog where the occurrences of the expression e at the program points denoted by points are replaced by a 
variable v. The replacement of an occurrence of e at a program point p by v preserves semantics if v and e 
have same value just before p. The soundness conditions for RE are as follows: 

(1) The statement at p is an assignment statement. AND 

(2) The variable v is not an operand of the expression e. AND 

(3) The expression e is computed at p (Antloc). AND 

(4) Depending on the nature of e, we have the following conditions: 

(a) If the expression is a just a variable (say x) then along each backward path starting from the prede- 
cessors of p one of the following should hold: 

• An assignment v := x or an assignment x := v is encoutered and in between there is no other 
assignment to any of the variables v or x. 

• The assignments v := h and x := h for some expression h are encountered (in some order) at 
program points say p\ and p2- In between pi and p2, the expression h is Transp ensuring that both 
v and x has the same value. Upto the first of the program points p\ and P2, along the backward 
path from p, neither v nor x is assigned. 

(b) Otherwise, along each backward path starting from the predecessors of p, an assignment v := e is 
encoutered with no assignment to v or the variable operands of e in between. 

Similarly soundness conditions for other transformation primitives can also be defined. It can be observed 
that the soundness conditions can be naturally expressed in CTLb p . For each transformation primitive, we 
identify the soundness conditions and separately prove that if the soundness conditions are satisfied by an 
application of the primitive then the transformed program is semantically equivalent to the input program. 
These are one-time proofs. Since the primitives are small-step transformations, the proofs of semantics 
preservation for them are easier than similar proofs for (large-step) optimizing transformations. 
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Verification scheme 



Consider an optimizing transformation T applied to an input program P\ : 



T(Pi) 



A 



LETP 2 =T 1 (P 1) 7Ti), •■■ , fl t =T fc _i(fl t _i,7r fc _i) IN T k (P k ,ir k ) 



where a transformation primitive Ti is applied to a program Pi at program points 7Tj . Let other parameters 
of the transformation primitives be implicit. 

Let tp±,...,<pk respectively be the soundness conditions of the primitives T±, ...,Tfe. The soundness 
of T can be established by proving that for each i £ {1, ...,&}, the verification condition ipi(Pi,Tti) is 
satisfied. Thus, proving soundness of an optimization reduces to showing that the soundness conditions 
of the underlying transformation primitives are satisfied. Optimizations with similar objectives comprise 
similar transformations. For example, "replacement of some occurrences of an expression by a variable" is a 
transformation which is common to optimizations like common subexpression elimination, lazy code motion, 
loop invariant code motion, and several others whose aim is to avoid unnecessary recomputations of a value. 
Thus identification of transformation primitives and their soundness conditions simplifies both specification 
and verification of a class of optimizations. 

To prove a verification condition <^j(Pj, 7r^), we use the program analysis and properties of the preceding 
transformations. However, the program analysis is interpreted on the input program and properties of the 
preceding transformations are interpreted on previous versions of the program. Thus we require a logic 
to correlate temporal properties across transformations of programs. We therefore develop the temporal 
trasformation logic in this paper. 

3. Primitive graph transformations 

A structural transformation of a program involves a transformation of the control flow graph of the program. 
For example, the insertion of predecessors (IP) transformation used in the CSE specification (Figure [T]) is a 
structural transformation. In this section, we define several primitive graph transformations which are then 
used, in the next section, to define primitive program transformations. 

3.1. Notation 

We use the boolean matrix algebra in a novel way to define graph transformations. We now introduce the 
notation and terminology for boolean matrix algebraic operations and graph transformations. 

Boolean matrix algebra 

Let B = {0, 1} be the set of boolean values. Consider a boolean algebra A = (B, V, A, 0, 1) where -i, V, 
and A are respectively the boolean negation, disjunction, and conjunction operators. Let and 1 respectively 
be the identity elements of V and A operators. 

For any two positive natural numbers n and m, consider a function 

: {1,. ..,7i} x {l,...,m} -> B. 

Let us consider B n ^ m as an (nxm) boolean matrix with n rows and m columns. For a matrix U, let \U]\ 
denote the element at the ith row and the jth column. Let [U]i denotes the ith row vector of U and [liy 
denote the jth column vector of U. 

Consider a boolean matrix algebra A njm defined as follows: 




The functions in the algebra are defined as follows: 

1. U denotes the negation of U which extends the boolean negation to matrices. 

2. U denotes the transpose of U. 
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Transform G to 6" : Split node 1 into nodes 1 and 3 
(or Transform G' to 67 : Merge nodes 1 and 3 into node 1) 



Fig. 3. An Example of Node Splitting (or Node Merging) 



3. If U and V are two (nxm) matrices, the addition "U+V" , the product "U*V", and the subtraction 
"U—V" are defined as follows: 

[U+V]l = [Ut V [V]j [U*V]i = [U]j A [V]j [U-Vt = [U}1 A -,[V]j 

4. If U is an (nxm) matrix and V is an (mxp) matrix, the multiplication U U-V" gives an (nxp) matrix as 
follows: 

[u-vi = V ( A Mi ) 

l<k<m 

n ^ m is an (nxm) matrix whose all elements are Os and is the identity element of the operator +. \ n ,m 
is an (nxm) matrix whose all elements are Is and is the identity element of the operator *. 

For readability, we do not explicate dimensions of matrices and assume appropriate dimensions as per 
their usage. We use bold letters to denote boolean vectors. Boolean vectors are also considered as column 
matrices. The two special vectors and 1 have all the elements as Os and Is respectively. 

The precedence of the operators in the decreasing order is as follows: [ ][ • ][ H * ]. The opera- 
tors within a pair of brackets have the same precedence and their usage needs to be disambiguated with 
appropriate parenthesization. 

Graph transformations 

A graph G is specified by a set of nodes N and a boolean adjacency matrix A representing the edges of G. 
We assume an implicit ordering of nodes to access elements in matrices and vectors associated with a graph. 
The ordering is considered to be constant for a graph. 

Consider a graph 67 = (N, A) and its transformed version 6" = (N',A'). A correspondence relation C 
for a transformation of G to G" gives the correspondence between the nodes of 67' and the nodes of G. It is 
denoted as an (\N'\ x | N\) boolean matrix. We define the transformation of G to G' in terms of (1) the nature 
of the correspondence relation C and (2) an equation expressing the adjacency matrix A' of the transformed 
graph in terms the adjacency matrix A of the input graph. 

Below we describe seven types of primitive graph transformations. These transformations are orthogonal 
with each other i.e. none of them can be expressed in terms of the others. 



3.2. Node Splitting 

A node splitting transformation of a graph G splits at least one node of G into multiple nodes. The edges 
associated with a node being split are translated into similar edges for the corresponding nodes in the 
transformed graph G' . All the other edges of G are preserved. For example, consider the graphs G and 67' 
shown in Figure [3] Node 1 of 67 is split into nodes 1 and 3 to get graph 6". Edge (1,2) of G is translated 
into edges (1, 2) and (3, 2} of 6". Similarly, edge (2, 1} of G is translated into edges (2, 1) and (2, 3} of 6". 

In Figure G2 the correspondence relation C between the nodes of G' and G is shown by the dashed gray 
arrows from right to left. A correspondence relation arrow from a node p to a node q means that the element 
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at the pth row and gth column in the correspondence matrix C is (boolean) 1 i.e. \C\% = 1. The matrix C 
is represented by the dashed gray arrows from left to right. 

The correspondence between the edges of the two graphs can be traced diagrammatically. For example, 
suppose we go from node 3 of G' to node 1 of G by following a C arrow, then we follow edge (1,2) in G, and 
lastly, we follow the C arrow from node 2 of G to node 2 of G'. This gives us edge (3, 2) in G'. Similarly, all 
the other edges of G' can be traced. 

The composition of arrows and edges (which are respectively, relations between the nodes of G 1 and G, 
and between the nodes of the individual graphs) can be represented very concisely as matrix multiplications, 
when these relations are expressed as adjacency matrices. This allows us to express the adjacency matrix of 
the transformed graph in terms of the adjacency matrix of the input graph. 

Definition 1. The transformation of a graph G — (N, A) to a graph G' — (N', A') is called a node splitting 
transformation if 

1. The correspondence relation C between the nodes of G' and G is a total, onto, and many-to-one relation 
and 

2. C A-d = A'. 

The first condition specifies the nature of the correspondence relation. The correspondence relation is 
required to be total and onto. Totality ensures that each node of the transformed graph corresponds to a 
node of the input graph i.e. no new node is introduced in the transformed graph. The onto nature of the 
correspondence relation ensures that for each node of the input graph there is a node of the transformed 
graph i.e. no node of the input graph is deleted. The many-to-one nature of the correspondence relation 
ensures that at least one node of the transformed graph corresponds to multiple nodes of the input graph i.e. 
the transformation splits at least one node of the input graph and is not vacuous. We require the non- vacuous 
nature of the relation so that the definitions of the graph transformations are unambiguous and orthogonal. 
The second condition defines the adjacency matrix of the transformed graph in terms of the adjacency matrix 
of the input graph and the correspondence relation. 

3.3. Node Merging 

A node merging transformation of a graph G merges multiple nodes of G into a single node. The edges 
associated with the nodes being merged are coalesced into similar edges for the merged node. All the other 
edges of G are preserved. For example, consider the graphs shown in Figure [3] once again. This time consider 
G to be a transformation of G' . Nodes 1 and 3 of G' are merged into node 1 of G. The correspondence 
relation C is now given by the dashed gray arrows from left to right (opposite to that of the node splitting 
example). Edges (1,2) and (3,2) of G' are coalesced into edge (1,2) of G. Similarly, edges (2, 1) and (2,3) 
of G' are coalesced into edge (2, 1) of G. As described earlier, the correspondence between the edges of the 
two graphs can be traced diagrammatically. 

Definition 2. The transformation of a graph G = (N, A) to a graph G' — (N' , A') is called a node merging 
transformation if 

1. The correspondence relation C between the nodes of G' and G is a total, onto, and one-to-many relation 
and 

2. C-A-C = A'. 

The first condition ensures that there are no new nodes introduced in the transformed graph (totality) 
and no nodes of the input graph are deleted (ontoness). The one-to-many nature ensures that more than 
one nodes are merged and the transformation is not vacuous. The second condition defines the adjacency 
matrix of the graph in terms of the adjacency matrix of the input graph and the correspondence relation. 

3.4. Edge Addition 

An edge addition transformation of a graph G adds at least one edge to G. All the edges of G are preserved. 
For example, consider the graphs G and G' shown in Figure[l]such that G' is obtained by adding edge (1, 3) to 
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Fig. 4. An Example of Edge Addition (or Edge Deletion) 



G. The correspondence relation C is given by the dashed gray arrows from right to left. The correspondence 
between the rest of the edges can be traced diagrammatically. 

Definition 3. The transformation of a graph G = (N, A) to a graph G' — (N', A') is called an edge addition 
transformation if 

1. The correspondence relation C between the nodes of G' and 67 is a bijection and 

2. There exists a (\N\ x \N\) matrix E s.t. A+E > A and C-A-C + C-E-C = A' where the matrix E denotes 
the edges to be added to G. 

The first condition ensures that there is a one-to-one correspondence between the nodes of G' and G. 
The second condition ensures that at least one new edge is added. 

3.5. Edge Deletion 

An edge deletion transformation of a graph G deletes at least one edge of G. All the other edges of G are 
preserved. For example, consider the graphs shown in Figure 2] once again. This time consider G to be a 
transformation of G'. Edge (1,3) is deleted from G' to get G. The correspondence relation C is now given as 
the dashed gray arrows from left to right (opposite to that of the edge addition example) . The correspondence 
between the rest of the edges can be traced diagrammatically. 

Definition 4. The transformation of a graph G = (N, A) to a graph G' — (N' , A') is called an edge deletion 
transformation if 

1. The correspondence relation C between the nodes of G' and G is a bijection and 

2. There exists a (\N\ x \N\) matrix E s.t. A-E < A and C-A-C - C-E-C = A' where the matrix E denotes 
the edges to be deleted from G. 

The first condition ensures that there is a one-to-one correspondence between the nodes of G' and G. 
The second condition ensures that at least one edge is deleted. 

3.6. Node Addition 

For a graph 67, given a set of edges E, a node addition transformation adds a new node along each edge in 
E. It splits the edges in E and adds the new nodes as successors to the source nodes of the edges in E and 
as predecessors to the target nodes of the edges in E. The rest of the edges of G are preserved. 

For example, consider the two graphs shown in Figure [5j The graph G' is obtained by adding node 4 
along edge (3, 2) of G. Edge (3, 2) is split into two edges (3, 4) and (4, 2) making node 4 a successor of node 
3 and a predecessor of node 2. The correspondence relation C is given as the dashed gray arrows from right 
to left. The lightgray solid arrows from right to left marked as N$ map the newly added nodes to the target 
nodes of the edges in E. The lightgray dotted arrows from left to right marked as Np map the source nodes 
of the edges in E to the newly added nodes. 

The correspondence between the edges of the two graphs can be traced diagrammatically. Edge (3, 4) is 
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Transform G to G' : Add node 4 along the edge (3, 2) 
(or Transform G' to G : Delete node 4) 



Fig. 5. An Example of Node Addition (or Node Deletion) 



obtained by following the C arrow from node 3 of G' to node 3 of G and then following the Np arrow from 
node 3 to node 4 of G". Edge (4, 3) is obtained by following the Ns arrow from node 4 of G 1 to node 2 of G 
and then following the C arrow from node 2 of G to node 2 of G' . In order to form edges corresponding to 
the edges of G, we traverse all the edges of G except the edges belonging to E. 

Definition 5. The transformation of a graph G = (N, A) to a graph G 1 = (N' , A') is called a node addition 
transformation if 

1. The correspondence relation G between the nodes of G' and G is a partial, onto, and one-to-one relation 
and 

2. Let the set of edges to be split be represented by an adjacency matrix E. Let Es = E-l be a vector 
denoting the source nodes of the edges in E. Let Et = B-l be a vector denoting the target nodes of the 
edges in E and rf = 1—C-l be a vector denoting the new nodes. There exist a (\N\ x \N\) matrix E, a 
(\N\ x | AT' |) matrix Np, and a (|iV| X |JV|) matrix Ns such that the following conditions hold: 



The first condition ensures that there is at least one new node in the transformed graph (partiality) but 
no nodes of the input graph are deleted (ontoness). The one-to-one nature of the correspondence relation 
ensures that no nodes of the input graph are split or merged. 

The second condition states the following: (a) The set E of the edges to be split is a subset of the edges of 
the input graph, (b)-(c) All the edges in E are split, (d) The edge splitting does not lead to any extraneous 
edges and any edges between the new nodes in the transformed graph, (e) It defines the adjacency matrix 
A' of the transformed graph in terms the adjacency matrix A of the input graph, the matrix E, and the 
relations G, Np and Ns- Ej and Eo respectively denote the incoming and outgoing edges for the new nodes 
as shown in Figure 

3.7. Node Deletion 

A node deletion transformation of a graph G deletes at least one node. The incoming edges of the node being 
deleted are composed with its outgoing edges. The rest of the edges of G are preserved. For example, consider 
the two graphs shown in Figure [5] once again. This time consider G to be a transformation of G'. Node 4 
of G' is deleted and edges (3, 4) and (4, 2) are joined to get edge (3, 2) of G. The correspondence relation G 
is given as the dashed gray arrows from left to right (opposite to that of the node addition example). The 



(a) 
(b) 
(c) 
(d) 

(e) 



E < A, 

Np is a total and onto relation from the nodes denoted by Es to the nodes denoted by rf , 
Ns is a total and onto relation from the nodes denoted by vf to the nodes denoted by Et, 



E = Np-N s , and 

(C-A-d - C-E-G) + C-Np + N s -d = A'. 
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dotted gray arrows from left to right marked as Np map the nodes in G' corresponding to the predecessors 
of the node being deleted to the node being deleted. The solid gray arrows from right to left marked as N$ 
map the node being deleted to the nodes in G' corresponding to the successors of the node being deleted. 
The correspondence between the edges of the two graphs can be traced diagrammatically. 

Definition 6. The transformation of a graph G = (N, A) to a graph G" = (N 1 , A') is called a node deletion 
transformation if all of the following conditions hold: 

1. The correspondence relation C between the nodes of G' and G is a total and one-to-one but not onto. 

2. Let 6 = 1 — C-l be a vector the nodes being deleted. Let Sp — AS be a vector denoting the predecessors 
of the nodes being deleted and 5s = AS be a vector denoting the successors of the nodes being deleted. 
We require that no two nodes having an edge between them can be deleted. We state this requirement 
as 5 * (Sp + 5s) = 0- 

3. Let 5 p i — CSp and 6 s i — CSs be the nodes in G' corresponding respectively to nodes denoted by dp 
and 5s- Further, let E = (A- A) * (5p x 5s) where x is the Cartesian product operator. The set E gives 
the set of edges obtained by joining the incoming and outgoing edges of the nodes being deleted. There 
exist a (\N'\ x \N\) matrix Np, and a (|iV| x \N'\) matrix N$ such that the following conditions hold: 

(a) Np is a total and onto relation from the nodes denoted by 5 p i to the nodes denoted by 5, 

(b) Ns is a total and onto relation from the nodes denoted by 5 to the nodes denoted by 5 s i, 

(c) C-E-C = Np-Ns, and 

(d) C A-C + Np-Ns = A'. 

The first condition states that there are no new nodes (totality) in the transformed graph and no nodes 
of the input graph are split or merged (one-to-one nature). However, at least one node of the input graph 
is deleted (the correspondence relation not being onto) . The second condition states that no two nodes with 
an edge between them are deleted. 

The third condition states the following: (a)-(b) The incoming edges of the nodes being deleted are joined 
with the outgoing edges, (c) The node deletion does not create any other edges (except those allowed by (a) 
and (b)) in the transformed graph, (d) It defines the adjacency matrix A' of the transformed graph in terms 
of the adjacency matrix A of the input graph and relations C, Np, and N$- 

3.8. Isomorphic Transformation 

An isomorphic transformation transforms a graph into an isomorphic graph. 

Definition 7. The transformation of a graph G = (N,A) to a graph G' = (N',A') is called an isomorphic 
transformation if 

1. The correspondence C between the nodes of G' and 67 is a bijection and 

2. C-A-C = A'. 

4. Primitive program transformations 

A primitive program transformation (or simply a transformation primitive) changes an input program in a 
small well-defined step. In this section, we present only the transformation primitives used in the CSE specifi- 
cation (Figure[IJ: insertion of predecessors (IP), insertion of assignments (IA), and replacement of expressions 
(RE). To define a primitive, we need to define the associated control flow and content transformations. A con- 
trol flow transformation is modeled in terms of the primitive graph transformations (Section[3]). This requires 
setting up various relations (matrices) used in the definitions of the primitive graph transformations. 

Apart from the primitives presented here, we have also defined several other primitives viz. insertion 
of successors (IS), edge splitting (SE), deletion of statements (PS), a nd replacement of variable operands 
(RV). The formal definitions all the primitives are available in Kan07j. These primitives have been used for 
defining most of the classical optimizations like common subexpression elimination, optimal code placement, 
loop invariant code motion, lazy code motion, and full and partial dead code elimination |Kan07] . 
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Insert program point 7 as the predecessor to program point 2 



Fig. 6. An example of insertion of predecessors transformation 



4.1. Insertion of predecessors 

Consider the two programs shown in Figure [5] such that prog' = IP(prog,succs,newpoints). The program prog' 
is obtained by inserting the new program point 7 as the predecessor to program point 2. Let us use the 
ordered sequence (1,...,6) for indexing vectors/matrices associated with prog. Let succs = (0,1,0,0,0,0) 
represent a set containing program point 2. Let newpoints = (0, 0, 0, 0, 0, 0, 1} denote the set of new program 
points to be inserted as predecessors to succs. The ordered sequence for indexing vectors/matrices for prog' 
is (1, . . . , 6, 7). The new program point 7 is placed at the end of the list. 

We model a transformation of the control flow graph of a program by an application of IP as a node 
addition transformation (Definition [5]). Given the arguments of IP, we set up the adjacency matrices for the 
relations C, Ns, and Np. For the transformation in Figure |6j we have the following: 



The relation C is represented as the matrix shown here. The rows correspond 
to program points 1, . . . , 7 (of the transformed program) and the columns cor- 
respond to program points 1, . . . , 6 (of the input program). Note that since the 
new program point does not correspond to any program point in the input 
graph, the last row (corresponding to program point 7) has all (boolean) 0s. 



The matrix Succs is a (1x6) matrix which is appended to a (6x6) matrix 
containing all 0s to get the (7x6) matrix ISLS which maps program point 7 of 
prog' to program point 2 of prog. 
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The relation Np (denoted as a matrix) maps program points 1 and 5 (the 
predecessors of program point 2 in prog) to program point 7. Given the vector 
succs, we can identify the adjacency matrix E of the incoming edges to the 
program points denoted by succs. The matrix Np is then obtained as E-N$- 
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It can be verified that the matrices satisfy the conditions about the nature of the corresponding relations 
stated in Definition [5] For example, the correspondence matrix C denotes a partial (at least one row has all 
0s), onto (each column has at least one non-zero element), and one-to-one relation (each column as well as 
each row has at most one non-zero element). Clearly, the adjacency matrix A' of the control flow graph of 
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prog' can be obtained by substituting these matrices and the adjacency matrix A of the control flow graph 
of prog in Definition [5] 

An insertion of predecessors transformation inserts SKIP statements at the newly inserted program 
points. If the target of a goto or a conditional statement belongs to the set represented by succs then the 
target is updated to its new predecessor program point (identified using the N$ relation). For the example 
shown in Figure [51 the target of the conditional statement at program point 5 will be updated to program 
point 7 in the transformed program. All other statements remain unchanged. 

4.2. Insertion of assignments 

The insertion of assignments transformation primitive (IA) takes a program, a set of program points, a 
variable, and an expression as its arguments. An application IA(prog, points, v,e) of IA to a program prog 
inserts an assignment v := e at the program points denoted by the vector points. The rest of the statements 
remain unchanged. The control flow graph of the input program also remains unchanged and is defined as 
an isomorphic graph transformation (Definition [7J . 

4.3. Replacement of expressions 

The replacement of expressions transformation primitive (RE) takes a program, a set of program points, 
an expression, and a variable as its arguments. An application RE(prog, points, e,v) of RE to a program prog 
replaces the occurrences of the expression e at the program points denoted by the vector points. The rest 
of the statements remain unchanged. The control flow graph of the input program also remains unchanged 
and is defined as an isomorphic graph transformation (Definition [7]). 

5. Program transformations as transformations of Kripke structures 

Kripke structures serve as a natural modeling paradigm when the properties of interest are temporal in 
nature. In order to interpret temporal formulae, we abstract a program as a Kripke structure. The control 
flow graph of the program gives the transition relation of the Kripke structure. The atomic propositions of 
the Kripke structure correspond to the local data flow properties and the labeling function corresponds to 
the valuations of the local properties. 

In this section, we model program transformations as transformations of Kripke structures. A program 
transformation may consist of a structural transformation of the control flow graph and a content transfor- 
mation of the control flow graph nodes (statements). Similar to the program transformations, a structural 
transformation of a Kripke structure is defined using the primitive graph transformations. A content trans- 
formation is modeled by specifying modifications of atomic propositions and their labeling. 

5.1. Transformations of Kripke structures 

Definition 8. A Kripke structure M is a tuple (G, P, L) where G is a directed graph, P is a set of atomic 
propositions, and L : P — > B n is a labeling function that maps each atomic proposition in P to a boolean 
vector of size n. The ith element of the vector L(p) is (boolean) 1 iff the proposition p holds at the ith node. 
B n denotes the set of boolean vectors of size n where n is the number of nodes in G. 

Following the usual assumption in program analysis but without loss of generality, we assume that G has 
a single entry and a single exit. Let A be the adjacency matrix of G. We consider an implicit ordering of the 
states of G for indexing vectors/matrices associated with M. We do not explicitly represent the states of a 
Kripke structure. We require A to be a total relation i.e. every state should have an outgoing edge. For an 
atomic proposition p, we use p to denote L(p). There are two special atomic propositions e and u> such that 
e and uj respectively hold only at the entry and the exit states. 

Definition 9. A Kripke transformation maps a Kripke structure M = (67, P, L) to a Kripke structure 
M' = (G', P', V) and is defined as follows: 
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(1) A graph transformation that maps G to G' . Let C as the correspondence matrix of the transformation. 

(2) For each atomic proposition p' G P' , the labeling L'(p') (denoted as p') is defined in terms of the labeling 
of an atomic proposition p S P and other atomic propositions of M and M' as follows: 

(C-p + u') * v' * w' — p' where u , v , and w are temporal formulae (1) 

(a) C-p indicates the states in M' which correspond to the states labeled by p in M, 

(b) u' indicates the states in M' which may not correspond to the states labeled with p in M but are 
labeled with p' in M', 

(c) v' indicates the states in M' which are not labeled with p', and 

(d) w' indicates the states in M' which are labeled with p' and also with w' . 

In general, the formulae u', v', and w' in Equation (fTJ) can be arbitrary CTLb p formulae possibly involving 
atomic propositions from both the input and the transformed Kripke structures. If there are m atomic 
propositions in M' then we get a system of m simultaneous equations. If the system is h-monotonic |KKS05j or 
simply monotonic then a solution to the equations can be computed iteratively and it completely determines 
the labeling of the transformed Kripke structure. 

In our framework for verification of optimizations, we arrive at formulations of Kripke transformations 
only indirectly by modeling primitive program transformations as primitive Kripke transformations. There- 
fore, we do not solve formulations of Kripke transformations explicitly. Further, definitions of atomic propo- 
sitions of the transformed Kripke structure involve only simple CTLbp formulae. 

We identify a Kripke transformation with the type of the graph transformation involved. Thus we have 
node splitting, node merging, edge addition, edge deletion, node addition, node deletion, and isomorphic 
Kripke transformations whose component graph transformations are as defined in Section [31 



5.2. Insertion of predecessors as node addition Kripke transformation 

In Section [H we defined some local data flow properties viz. Antloc, Transp, and Comp. We now introduce a 
few more properties. A variable v is Def at a program point if v is assigned at the program point. A variable v 
is Use at a program point if v appears in an expression at the program point. A variable v and an expression 
e satisfy AssignStmt property at a program point if the statement at the program point is v := e. 

Let prog x = IP(prog,succs,newpoints) be an application of the insertion of predecessors primitive. Since 
an insertion of predecessors transformation involves a node addition graph transformation, we can abstract 
it as a node addition Kripke transformation (part 1 of Definition [5]) . 

We now define the local data flow properties (atomic propositions) of the transformed program prog 1 in 
terms of the local data flow properties of the input program prog (part 2 of Definition^. Recall that IP 
inserts SKIP statements at the new program points and does not change statements at any other program 
point. Let C be the correspondence matrix for the (graph) transformation. 

For any expression e and a variable v occurring in prog (and also in progjj, the correlation of the atomic 
propositions for the transformation is defined as follows: 

C-Antloc(prog,e) = Antloc(prog 1 , e) 

C-Transp(prog,e) + newpoints = Transp(prog 1 , e) 

C-Comp(prog,e) = Comp(prog 1 , e) 

C-Mod(prog,e) = Mod(prog 1 , e) 

C-Use(prog,v) = Use(prog 1 ,v) 

C-Def(prog,v) = Def(prog 1; v) 

C-AssignStmt(prog,v,e) = AssignStmt(prog 1 , v, e) 

Note that since the new program points (denoted by newpoints) contain SKIP statement in prog^ for 
any expression e, Transp(prog 1 , e) holds at newpoints. 

Let slices' = C-succs be a new atomic proposition denoting the program points in progj which correspond 
to the succs program points in prog. For each program point i from slices', there exists a program point j 
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from newpoints such that i is the only predecessor of j and j is the only successor of i. Hence, 

AX(prog q 'cfg, succs') = newpoints 
AY(prog 1 'cfg, newpoints) = succs' 

Further, for each primitive program transformation, we lemmatize several other properties of the trans- 
formation or the transformed program. For instance, we introduce a lemma to state that the statements at 
the newly inserted program points newpoints are SKIP statements. The correctness of such lemmas can be 
proved from the definitions of the primitives. 



5.3. Insertion of assignments as isomorphic transformation 



Let progj^ = IA(prog, points, v,e) be an application of the insertion of assignments primitive. Since an insertion 
of assignments transformation does not change the control flow graph of the input program, we can abstract 
it as an isomorphic Kripke transformation (part 1 of Definition [§]) . 

Recall that IA inserts an assignment v := e at the program points denoted by points and does not change 
statements at other program points. We assume that the statement at any program point in points in prog 
is SKIP. This condition is defined as a part of the soundness conditions for I A. 

Below we correlate the local data flow properties of the input program prog and the transformed program 
prog-L (part 2 of Definition [9]) . el is an expression and vl is a variable in the following: 



Antloc(prog.el) + points = 

Antloc(prog.el) = 

Transp(prog,el) — points = 

Transp(prog.el) = 

Comp(prog,el) — points = 

Comp(prog,el) + points = 

Comp(prog,el) = 

Mod(prog,el) + points = 

Mod(prog,el) = 

Use(prog,vl) + points = 

Use(prog,vl) = 

Def(prog.vl) + points = 

Def(prog,vl) = 



Antloc(prog q , el) 
Antloc(prog 1 , el) 

Transp(prog l7 el) 
Transp(prog l7 el) 

Comp(prog 1 ,el) 
Comp(prog 1 ,el) 
Comp(prog 1 ,el) 

Mod(prog 1 , el) 
Mod(prog 1 , el) 

Use(prog 1 , vl) 
Use(prog 1 , vl) 

De^prog^vl) 
De^prog!, vl) 



if e = el 

otherwise 

if v is an operand of el 
otherwise 

if v is an operand of el 
else if e = el 
otherwise 

if v is an operand of el 
otherwise 

if v is an operand of el 
otherwise 

if v = vl 
otherwise 



AssignStmt(prog,vl,el) + points 
AssignStmt(prog,vl,el) 



AssignStmt(prog q , vl, el) ifv = vl ande = el 
AssignStmt(prog 1 , vl, el) otherwise 



5.4. Replacement of expressions as isomorphic transformation 

Let prog x = RE(prog, points, e,v) be an application of the replacement of expressions primitive. Since a re- 
placement of expressions transformation does not change the control flow graph of the input program, we 
can abstract it as an isomorphic Kripke transformation (part 1 of Definition [9J . 

Recall that RE replaces the occurrences of expression e at the program points denoted by points by 
variable v and does not change statements at other program points. 

Below we correlate local data flow properties of the input program prog and the transformed program 
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progj (part 2 of Definition . el is an expression and vl is a variable in the following: 



Antloc(prog,el) — points 


= AntlocfproE, , el) 


if e = el 


Antloc(prog,el) + points 


= AntlocfproEi , el) 


if the expression el is just the variable v 


Antloc(prog.el) 


= Antloc(prog 1; el) 


otherwise 


Transp(prog,el) 


= Transp(prog 1 , el) 




Comp(prog,el) — points 


= Comp(prog 1 ,el) 


if e = el 


Comp(prog,el) 


< Com p( prog^ el) 


if the expression el is just the variable v 


Comp(prog,el) 


= Comp(prog 1 , el) 


otherwise 


Mod(prog,el) 


= Mod(prog 1 , el) 




Use(prog,vl) — points 


= Use(prog 1 , vl) 


if vl is an operand of e 


Use(prog,vl) + points 


= Use(prog 1 , vl) 


else if v = vl 


Use(prog,vl) 


= Use(prog 1 , vl) 


otherwise 


Def(prog,vl) 


= De^prog^vl) 





Note the inequality in the second correlation of the Comp property. Suppose the expression el ^ e is 
just the variable v. If el is Comp at a program point i in the input program then it is also Comp at i 
in the transformed program. Therefore, Comp(prog.el) < Comp(prog l5 el). At the program points denoted 
by points, the expression el is Antloc in the transformed program. However, depending on whether the 
left-hand side variable at a program point is v or not, it may or may not be Comp at that point. Since 
we do not require a complete characterization of Comp(prog 1 , el) in the proofs, we prefer the inequality as 
the correlation between Comp program points. For similar reasons, we prefer an inequality in the second 
correlation of AssignStmt property: 

AssignStmt(prog,vl,el) — points = AssignStmt(prog',vl,el) if e = el 

AssignStmt(prog,vl,el) < AssignStmt(prog',vl,el) if the expression el is just the variable vl 

AssignStmt(prog,vl,el) = AssignStmt(prog',vl,el) otherwise 

6. Temporal transformation logic 

In this section, we introduce the logic TTL. We present the syntax and the semantics of TTL operators. We 
then define the axioms and the basic inference rules. For each type of primitive Kripke transformations, we 
present the inference rules to correlate temporal properties between a Kripke structure and its transformation 
under the specific primitive transformation. 



6.1. Syntax and semantics 

We give boolean matrix algebraic semantics to CTLbp formulae. For a formula ip, we denote the set of states 
where the the formula is satisfied by a boolean vector if. For an atomic proposition p, the labeling L(p) is 
denoted by a boolean vector p. The one-step temporal modalities can be defined by matrix multiplication. 
For example, the semantics of the formula EX(ip) is given by A ■ ip where A is the boolean adjacency matrix 
of the transition relation of the Kripke structure and the operator "•" denotes matrix multiplication. The 
semantics of path operators (until, globally, etc.) are specified by fixed points. Appendix [A~l gives the syntax 
and semantics of CTLbp formulae. 

Consider a Kripke structure M and its transformed version M' . Let ip and ip' be CTLbp formulae defined 
respectively over Kripke structures M and M' . As a convention, we use primed symbols for a transformed 
Kripke structure and unprimed symbols for an input Kripke structure. Correlations between CTLbp formulae 
ip and ip' are denoted the following TTL formulae: 



if — >• if , if =>■ if 1 , and if<—if' 



(2) 
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The model of a TTL formula is the pair (M, M') of Kripke structures. Let C be the correspondence 
matrix that relates the nodes of M' and M. The semantics of the TTL formulae are defined as follows: 

(M, M')\=<p^ (p 1 iff C- < <p' 

(M, M') \= p => ip' iff C Lp = y> (3) 

(M, M') \=p^p' iff C- Lp>p' 

6.2. Axioms and basic inference rules 

An inference rule is represented as follows: 

Ql ■ ■ ■ Oik 

P 

(name of the rule and its scope) 

where the judgments a±, . . . , oik above the line denote the premises and the judgment below the line denotes 
the conclusion. A premise ati can be a CTLb p formula defined cither on an input Kripke structure or on its 
transformation, or it can be a TTL formula. The conclusion /3 is a TTL formula. An inference rule has a 
name. The scope of the rule specifies the type of Kripke transformations for which the inference is valid. We 
abbreviate the transformation primitives by their first letters e.g. node splitting is abbreviated as NS. If no 
specific scope is given then the rule is applicable to all primitive transformations. 

Consider a pair (M, M') of Kripke structures where M' is a transformation of M according to some 
transformation within the scope of an inference rule. The inference rule states that if the premises hold for 
(M,M') then the conclusion is also holds for (M,M'). 

In Figure we give the axioms and basic inference rules of the logic. The correspondence matrix for a 
pair of Kripke structures (M, M') is denoted by C. The axiom AXM1 is applicable if an atomic proposition p 
defined on M and an atomic proposition p 1 defined on M 1 satisfy the condition C-p <p' . In that case, p — > p' 
follows directly. Note that the condition C-p < p' is not part of the logic. The axiom allows introduction of 
atomic judgments (judgments involving atomic propositions only) in a proof. Similarly, AXM2 and AXM3. 

Proofs of the basic inference rules are straightforward. We only discuss a few interesting ones here. The rule 
MP2 is applicable to node addition transformations only. The atomic proposition rf denotes the set of new 
nodes in the transformed Kripke structure M'. It is defined as rf = 1—C-l. MP2 is sound because (1) 1 < tp : 
given, (2) C-l < C-p : monotonic, (3) C-p < <p' : given, (4) C-l < <p' : transitive, (5) C-l+(l-C-l) < (p'+rf' 
: monotonic and definition of T]' , and (6) 1 < ip'+rj'. 

The rule MP3 is applicable to node deletion transformations only. The atomic proposition 8 denotes the 
set of nodes that are deleted from the input Kripke structure. MP3 is sound because (1) 1 < 0+5 : given, 
(2) 1-6 < <p, (3) C-(l-<5) < C-p : monotonic, (4) C-p < <p' : given, (5) C-(l-S) = 1 : C is a total but not 
onto function and does not relate the nodes of M' with the nodes being deleted, and (6) 1 < ip? : transitive. 

The rule Nil is applicable to the primitives which satisfy the constraint C-z > C-z for any z £ B n 
where n is the number of nodes of the input Kripke structure. Nil is sound because (1) C-p < p' : given, 

(2) C-tp > ip' : negation, (3) C-ip > C-p : since C-z > C-z, and (4) C-p > Lp' : transitive. The rule NI2 is 
applicable to the primitives which satisfy the constraint that C-z < C-z. NI2 is sound because (1) C-p = p' 
: given, (2) C-p = p' : negation, (3) C-p < C-p : since C-z < C-z, and (4) C-<p < p' : transitive. 

The relation C-z > C-z means that for any z € B n , the set of nodes of M' corresponding to the 
complement of z is a superset of the set of nodes of M' obtained by complement of the set of nodes (of M 1 ) 
corresponding to z. Conversely, C-z < C-z means that the former set is a subset of the later set. We now 
establish the relations between C-z and C-z for the primitive transformations. 

Lemma 10. If C is the correspondence matrix of an NS, EA, ED, or ND transformation from M to M' 
and z is a vector on M then C-z = C-z. 
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p — > p P => P P <— p 

(AXM1 if C-p < p') (AXM2 if C-p = p') (AXM3 if C-p > j?) 
(a) Axioms for introducing atomic judgments 

if Dtp P^p' f'Dip' 

tp—¥%j)' p—tlp' 

(FC1) (FC2) 
(b) Forward Chaining 

T D p p ^ f' T D if if -> TD (<pV5) f ^ f' 



V Dp' V D (<p ; V 77') T' D <p' 

(MP1 for NS, NM, EA, ED, IM) (MP2 for NA) (MP3 for ND) 

(c) Modus Ponens for TTL 

tp->ip' p'Dl.' P^f' (p' A-it/)D-L' p^p' p'D-L' 



pD± pD± (ipA-iS) D -1 

(MT1 for NS, NM, EA, ED, IM) (MT2 for NA) (MT3 for ND) 

(d) Modus Tollens for TTL 

f^f'tp^f' f — >• p' p — >• p' p — > — > V' 



(ipVip) -tip' p -)■ (93' V ^') (p Alp) p' p -> (93' A ?//) 

(DI1) (DI2) (CI1) (CI2) 

(e) Disjunct Introduction (f) Conjunct Introduction 

p p' p => p' 



—itp4——i<p — 1 </? — > — 1 <// 

(Nil if C-? > Cl) (NI2 if C-? < Cl) 
(g) Negation Introduction 

p ^> p' p p' p D tp p => p' ip ip' 



p — > p' f <r- p' p' D ip' 

(IR1) (IR2) (IT) 

(h) Implication Relaxation (i) Implication Transfer 

f ^ f' p — > ip' p 4— p' p' Op' p C ip ip <— tp' 



p' D tp' p <~ Ip' p <— Ip' 

(MC) (BC1) (BC2) 

(j) Mixed Chaining (k) Backward Chaining 

(fVip)^p' p^f (p' A ip') p'Dip' p^p' ip=>ip' 



p — > p' P^p' fDip 

(DE) (CE) (IRT if z = C-C-z) 

(1) Disjunct/Conjunct Elimination (m) Implication Reverse Transfer 



P 



f <— f p — > p 

(NE1 if C-? > Cl) (NE2 if C-? < Cl) 
(n) Negation Elimination 



Fig. 7. Axioms and basic inference rules 
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Proof. Consider a boolean vector z defined over M. 

z + z =1 identity element 

C-(z + z) = C-l monotonic 

(i) C-z + C-z = 1 distributive; C is a total relation, hence C-l = 1 

Consider the following derivation. 

z * z =0 identity element 

C-(z*z) = C-0 monotonic 

(m) C-z* C-z = since the relation C is a function, it distributes 

We first show that C-z < C-z. 

l =6 



C-z + C-z = C-z* C-z from (i) and (ii) above 

(Hi) (C-z + C-z) * C-z = (C-z + C-z) * C-z monotonic 

(C-z*C-~z) + (C-1*C-1) = (CTi?*C-z) + (C~lt*C-l) distributive 

+ C-z = (C-z*C-z)+0 from (ii), identity element 

C-l < CTz 

Instead of C-z, if we take a product by C-z in (Hi), we get C-z > C-z. □ 

Lemma 11. If C is the correspondence matrix of an NM transformation from M to M 1 and z is a vector 
on M then C-l > C^l. 

The proof of Lemma [IT] is similar to that of Lemma [TO] From Lemma [TU] and Lemma [TTJ we know that 
the rule Nil is applicable to the primitives NS, EA, ED, ND, and NM. 

Lemma 12. If C is the correspondence matrix of an NA transformation from M to M' , z is a vector on 
M, and rj' the atomic proposition denoting the new nodes in M' then C-z *r\' — C-z. 

Proof. Consider a boolean vector z defined over M. 
z + 1 =1 

C-(z + z) = C-l monotonic 

C-z + C-z = C-l < 1 distribute; C being a partial function, C-l < 1 

Consider the following derivation. 

z * z =0 

C-(z*z) = C-0 monotonic 

(i) C-z* C-z = distribute; C is a function 

Since rj' — 1— C-l, we have C-z+C-z+rj' = 1. 
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substitute 
distributive, monotonic 
distributive, substitute (i) 

third disjunct of LHS (it) 

(Hi), (iv), monotonic, distributive 
negation; C-z and rj' are disjoint 

Instead of C-z, if we take a product by C-z * r\' in the third step, we get C-z > C-z* rj'. □ 

From Lemma Q21 for the primitive NA, C-z < C-z. Thus, additionally from Lemma [TU1 we know that the 
rule NI2 is applicable to the primitives NS, EA, ED, ND, and NA. 

The rule IRT is applicable to the primitives which satisfy the constraint z — C-C-z for any z E B n 
where n is the number of nodes of the input Kripke structure. IRT is sound because (1) (p' < ip' : given, 
(2) C-tp' < C-tp' : monotonic, (3) C-tp — tp' : given, (4) C-C-tp = C-ip' : monotonic, (5) tp = C-tp 1 : since 
z = C-C-z, (6) C-tp = ip' : given, (7) C-C-ip = C-tp' : monotonic, (8) tp — C-ip' : since z = C-C-z, and 

(9) tp < ip : substitute from (5) and (8) in (2). 

From the nature of the correspondence relations of the primitives, we have the following result. 

Lemma 13. If C is the correspondence matrix of a primitive transformation of M to M' and Z and Z' are 
boolean matrices of appropriate sizes then the following properties hold: 

1. For an NS, EA, ED, NA, or IM transformation, Z = C-C-Z and Z = Z-C-C. 

2. For an NM transformation, Z < C-C-Z and Z < Z-C-C. 

3. For an ED, ND, or IM transformation, Z' = C-C-Z' and Z 1 = Z'-C-C. 

4. For an NS transformation, Z' < C-C-Z' and Z' < Z'-C-C. 

From Lemma [TBI it is clear that z = C-C-z holds for NS, EA, ED, NA, and IM transformations and thus 
the rule IRT is applicable to them. 

6.3. Transformation specific inference rules 

The transformation specific rules define sound inferences for introduction of temporal operators in the TTL 
formulae. The rules we present in Figure |8] allow introduction of the same temporal operators on both sides 
of a TTL implication. The rules are different for different types of primitives transformations. We differ the 
proofs of soundness of the rules until Section [71 Here, we discuss them only informally. The boolean matrix 
algebraic semantics of CTLb p operators is given in Appendix [X] 

An NM or an EA transformation inserts new edges in the transformed Kripke structure but preserves 
all the existing edges. Thus, we can correlate any existential temporal operator between the input and the 
transformed Kripke structures. 

An ED transformation, on the other hand, deletes edges from the input Kripke structure but does not add 
any edges. Thus, we can correlate any universal temporal operator between the input and the transformed 
Kripke structures. However, TTL ec j rules are applicable only for future operators. In CTLbp, past operator 
AY (Definition |2"T)) is interpreted in a strong sense i.e. for an AY formula to hold at a node, it must have at 
least one predecessor. At an entry node i.e. a node without any predecessors, no AY formula holds. For edge 
deletion, we cannot guarantee existence of a predecessor for every node in the transformed Kripke structure. 



We first show that C-z < C-z* ?/. 



= 



C-Z+C-Z+T]' 

(C-z+C-l+r]')*C-l 
(ii) 6+C-~z i +(tf*C-~z) 

C-l 
(Hi) C-z 

T]'*C-Z 

(iv) r\' 

C-f+rf 
C-l 



= C-z*C-z 

= (Cl+C^z)*C-l 

= (C^*C-~z)+0 

< C^?*C-? 

< CH 

< 7Tz*c-~i 

< cl 
c^ 



c- 



Z * 77 
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^ 1 1 _L/ ns , 1 1 V^ira ) 



A(ip)^A(ip') V(^)->V(^>') 

where A and V are respectively any unary and binary CTLbp temporal operators 
(a) Inference rules for node splitting and isomorphic transformations 

[L L Unm ? 1 1 '-'ea J 



A(^A(^) V(^,V)^V(^,^) 

where A and V are respectively any existential unary and binary CTLbp temporal operators 
(b) Inference rules for node merging and edge addition transformations 

[l lL ed ) 



A(cp)^A(cp>) V(^V)^V(^',V) 

where A and V are respectively any universal future unary and binary CTLbp operators 
(c) Inference rules for edge deletion transformations 

tp-Hp 1 y->V V-XP 1 rjf-Diff ip-Hp' 

(,-1 -LJ^raaJ 



^O'A-t/) A(^)^A(^') V(^,V)-^V(v/,^) 

where A and V are respectively any unary and binary CTLbp operators 
(d) Inference rules for node addition transformations 

V£)-»V A(V>)->A(V/) 

(TTL nd ) 



where A = EX, AX, EY, AY; 9 = EG, AG, EH, AH; and V = EU,AU,EW,AW, ES,AS 
(e) Inference rules for node deletion transformations 

Fig. 8. Transformation specific inference rules 



The existence of successors however is guaranteed because for a Kripke structure to be well-formed, every 
node has to have an outgoing edge. Hence, we can correlate universal future CTLbp operators. 

In Figure [8] (d), rj' is an atomic proposition of a transformed Kripke structure that denotes the newly 
added nodes by an NA transformation. In Figure|8](e), 6 is an atomic proposition of an input Kripke structure 
that denotes the nodes being deleted by an ND transformation. 



6.4. Verification of compiler optimizations revisited 

In Section [5J we discussed a verification scheme for specifications of compiler optimizations that motivated 
the development of TTL. We now give a sketch of the proof of a verification condition for the CSE specifi- 
cation (Figure [lj using TTL. We have used TTL to prove soundness of several optimizations viz. common 
subexpression elimination, optimal code placement, loop invariant code motion, lazy code motion, and full 
and partial dead code elimination, in the PVS theorem prover. 

Consider the last transformation RE(prog4, redund4, e, t). Common subexpression elimination is per- 
formed for non trivial expressions i.e. expressions containing some operator. Thus we need to establish part 
(b) of the constraint (4) in the soundness condition for the primitive RE. Formally, we need to show that 



redund4 D AY(prog4'cfg, AS(prog4'cfg, Transp(prog4,e) * -iDef(prog4,t),AssignStmt(prog4,t,e))) = <p 4 (4) 
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From the definition of Avail, we know that 

redund D AY(progl'cfg, AS(progl'cfg, Transp(progl,e), orgavails)) 

We can prove that orgavails D Transp(progl,e). Let redund2 be the set of program points in prog2 that 
correspond to redund. Since, IP is a node addition transformation, using TTL na ; and the correlations of local 
data flow properties under an IP transformation (Section 15. 2[) . 

redund2 D AY(prog2'cfg, AS(prog2'cfg, Transp(prog2,e), newpoints)) 

The variable t is declared as a new variable for prog2. Thus, -iDef(prog2,t) is an invariant property. Hence, 

redund2 D AY(prog2'cfg, AS(prog2'cfg, Transp(prog2,e) * ^Def(prog2,t), newpoints)) 

Since, I A is an isomorphic transformation, using TTLi m ; and the correlations of local data flow properties 
under an I A transformation (Section 15.3ft . 

redund2 D AY(prog3'cfg, AS(prog3'cfg, Transp(prog3,e) * ^Def(prog3,t), AssignStmt(prog3,t,e))) = 923 (5) 

Now, consider the following derivation: 



Def(prog3,t) =>■ Def(prog4,t) Section El 

^Def(prog3,t) -> ^Def(prog4,t) Rule NI2 (Figure 0) 

Transp(prog3,e) =>• Transp(prog4,e) Section 

Transp(prog3,e) * ^Def(prog3,t) -> Transp(prog4,e) * ^Def(prog4,t) Rules CI1, CI2 (Figure [7]) 

Recall that t is a new variable with respect to prog2. Hence, there cannot be any assignment to t in prog2. 
The transformation of prog2 to prog3 involves insertion of ASSIGN(t.e) at newpoints which are distinct from 
orgavails3. Hence, AssignStmt(prog3,t,e) — > AssignStmt(prog4,t,e). Since RE is an isomorphic transformation, 
using TTL; m for the transformation of prog3 to prog4, we have ip^ — >• 954. 

Also redund2 => redund4. We thus have the following simple derivation: (1) redund2 <— redund4: by 
IR2, (2) redund2 D 993: from Equation [5j (3) (^3 — > 994: proved above, (4) redund2 — > 994: by FC1, and 
(5) redund4 D 994: from steps (1) and (4), MC. This establishes the verification condition (Equation^]) of the 
last transformation in the CSE specification. 



7. Soundness of the logic 

In Section 17.11 we define simulation, bisimulation, and a special case of weak bisimulation between Kripke 
structures. For each transformation primitive, we show in Section 17.21 what kind of simulation relation the 
transformation constructs between the input and the transformed Kripke structures. In Section[7j21 we prove 
that certain correlations between CTLb p formulae hold between a pair of Kripke structures if a particular 
kind of simulation relation exists between them. The soundness of the transformation specific inference rules 
follows immediately from the results in Section 17.21 and Section 17.31 



7.1. Algebraic formulations of simulation relations 

7.1.1. Binary relations 

Consider sets P and Q containing n and m elements respectively. We represent an ordered relation R C Q x P 
by an (mxn) boolean matrix. A subset X C P (or X C Q) is denoted by a boolean vector of size n (or size 
m) . Let B n and B m denote the sets of all boolean vectors of sizes n and m respectively. 

A relation R C QxP can also be considered as a function R : B n — > B m . For simplicity of presentation, we 
consider boolean vectors and column matrices interchangeably and do not distinguish between B n and 6( ra ,i)- 
With the interpretation of a boolean matrix as a function over boolean vectors, the matrix multiplication 
R-z where z £ B n can be seen as a function application. A matrix multiplication i?i-i?2 can be considered 
as function composition (i?i o R 2 ). The transpose R of matrix R represents the inverse of relation R and is 
the function R: B m — > B n . 
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We now formalize various properties of a relation R in boolean matrix algebraic setting. Let z £ B n 
and z' € B m - We abbreviate the one-to-one, one-to-many, many-to-one, and many-to-many properties of 
relations by 1-1, 1-m, m-1, m-m respectively. 



R-l 




1 


(total) 


R-i 


< 


1 


(may not be total) 


z> 




R-R-z"' 


(total but neither m-1 nor m-m) 


z' 


< 


R-R-z' 


(total and possibly m-1 or m-m) 


R-R-z 1 


< 


z< 


(possibly not total and neither m-1 nor m-m) 


~Rl 




R-l 


(total but neither 1-m nor m-m) 


~r! 


< 


R-l 


(total and possibly 1-m or m-m) 


R-l 


< 


~R~1 


(possibly not total and neither 1-m nor m-m) 



(6) 



The above list gives properties of relation R in its first argument. Similarly, we define properties of 
relation R in its second argument as follows. 



R-l 




1 


(onto) 


r-i 


< 


1 


(may not be onto) 


z 




R-R-z 


(onto but neither 1-m nor m-m) 


z 


< 


R-R-z 


(onto and possibly 1-m or m-m) 


R-R-z 


< 


z 


(possibly not onto and neither 1-m nor m-m) 


R-z> 




R-z 1 


(onto but neither m-1 nor m-m) 


R-l 1 


< 


R-l 1 


(onto and possibly m-1 or m-m) 


R-l 1 


< 


R-z 1 


(possibly not onto and neither m-1 nor m-m) 



(7) 



7.1.2. Simulation relations between Kripke structures 

Consider Krike structures M — (G,P,L) and M' = (G',P',L') with A and A' as respective adjacency 
matrices. Let there be n nodes in M and n' nodes in M'. Let an (n'xn) boolean matrix R be a relation 
between the nodes of M' and M. We use unprimed symbols for M and primed symbols for M' . 

Definition 14. A relation R is a simulation relation between Kripke structures M and M' (denoted as 
M > R M') if (1) R ■ A ■ R < A' and (2) for all z G B n , z< R-R-z. 

Condition (1) states that if p' and p are related by R ([R]p, = 1) and there exists an edge (p,q) in M 
{[A\l = 1), and some q' is related to q {[R] q ql = [R]* = 1) then there is an edge (p', q') {[A 1 ]^ = 1). In other 
words, if there is an edge (p, q) in M and p' and q' are related to p and q through _R, then there exists an 
edge (p 1 , q') in W . 

As discussed in Section[Sl we model programs as Kripke structures. We consider local data flow properties 
as atomic propositions. The labeling of nodes by atomic propositions is determined by valuations of the 
properties. The standard formulations of simulation relations [CGPOO require related nodes to be labeled 
with same atomic propositions. Our aim is to model program transformations as Kripke transformations. 
Since program transformations can change statements, we shall not insist on equality of atomic labels. 

From Equation ([7]), we know that condition (2) states that R should be an onto relation and it can 
possibly be one-to-many or many-to-many. Thus, M>rM' if for every edge in M, there is a corresponding 
edge in M' . 

Definition 15. A relation R is a bisimulation relation between Kripke structures M and M' (denoted as 
M txiR M') if M > R M' and W t> R M. 

A relation R is a bisimulation between Kripke structures M and M' if R is a simulation between M and 
M' and its inverse i.e. R is a simulation between M' and M. Thus, R should be a total and onto relation 
such that for every edge in M there is a corresponding edge in M' and vice versa. 



2-1 



Kanade, Sanyal, Khedker 



We now consider a special case of weak bisimulation called one-step weak bisimulation. The formulation 
is asymmetric in a sense that only one Kripke structure has internal nodes. Let M and M' be two Kripke 
structures such that only M' has internal nodes which do not correspond to any nodes in M. Unlike the 
standard formulations of weak bisimulation BCG88, NV95], we require that no two internal nodes can have 
an edge between them. In other words, internal and visible nodes can only alternate. Let us denote the set 
of nodes in M by N and the set of nodes in M' by N'. Let us denote the set of internal nodes in M' by rf . 
The set of visible nodes is N 1 — rf . 

We characterize a one-step weak bisimulation by three relations between the nodes of M and M' . An 
(n'xn) relation R C (N'—rf) X N which relates visible nodes of the two Kripke structures. An (n'xn) relation 
S C rf X N which relates internal nodes of M' to visible nodes of M and an (nxn') relation P C N x rf 
which relates visible nodes of M to internal nodes of M' . Let n be the number of nodes in M and n' be the 
number of nodes in M' . 

Definition 16. A triple (R, P, S) is a one-step weak bisimulation between M and M' (denoted as M di(R,p,s) M') 
if (1) R-A-R = (A'-R-P-S-R)+R-P-S-R, (2) RP < A', (3) S-R < A', (4) 5-1 = P I =_rf = 1-RA, 
(5) P R = 0, (6) R-S = 0, (7) for aU z € B n , z = R-R z, (8) for all z' € B n ,, z'*rf = R-R-(z'*rf), (9) for all 
z' G B n >, R(z'*rf) = R-z 1 , and (10) rf*(A'-T]'+A'-r)') = 0. 

Condition (1) states that if p' and p are related by R ([R] p , — 1) and there exists an edge {p, q) in M 
([A] q — 1), and some q' is related to q {[R] q q = [R] q q > = 1) then one of the following holds: 

(a) There is an edge {p' , q') {[A'] q p , — 1) and there does not exist any node r in M such that (i) p' is related 
to r by R ([R] r p , = 1) and r is related to q' by P ([P]«' = 1) or (ii) p' is related to r by S ([S] r p , = 1) and 
r is related to q' by R ([P]«' = 1). 

(b) There exists a node r' in M' such that p is related to r' through P ([P]£ = 1) and r' is related to q 
through S ([S 1 ]*, = 1). In other words, the condition states that the edge (p,q) is split into two edges 
ip',r') and (r',q') (where r' is an internal node). 

Condition (2) states that if p' and p are related by R ([R] p , — 1) and p is related to r' through P 
([R]p = 1) tnen there is an edge (p',r') ([A']*, = 1). Similarly, condition (3) states that if r' and q are 
related by S and q' and q are related by R then there is an edge (r' , q'). 

Condition (4) states that the domain of S and the range of P is the set of internal nodes 77' in M', 
Further, the set of internal nodes is disjoint with the domain of R. 

Condition (5) states that if p is related to p' by P ([P]% — 1) then there does not exist any q related to 
p' by R {[R] r pl = 0, for all r e N). Similarly, condition (6) states that if p' is related to q by S {[S] q p , = 1) 
then there does not exist any p such that p is related to p 1 by R ([R] p , = [P]? — 0, for all p e N). 

From Equations ([7]), we know that condition (7) states that R is an onto relation but neither one-to-many 
nor many-to-many. From Equation ([6]), we know that condition (8) states that R is a total relation on N' — 77' 
but is neither many-to-one nor many-to-many. Further, condition (9) states that R does not relate any node 
in rf to a node node in N. Together, conditions (7), (8), and (9) state that R C (N' — n') x N is a bijection. 

Condition (10) states that no two internal nodes can be adjacent. 

Thus, M^/ji p g\M' if for every edge (p, q) in M there is a corresponding edge (p' , q') in M' or there are 
two adjacent edges (p', r') and (r', q') such that p' and p as well as q' and q are related by R. Further, p and 
r' are related by P and r' and q are related by S where r' is an internal node in M' . 

7.2. Primitive Kripke transformations and simulation relations 

A primitive Kripke transformation constructs some kind of simulation relation between a transformed Kripke 
structure M' and the corresponding input Kripke structure M. We summarize these relations in Figure |H] 
and use them to correlate temporal properties across transformations in Section 17.31 

The relation C denotes the correspondence matrix of the primitive transformation (ref. Section [3]). The 
relations Np and JV5 are relevant for node addition and node deletion transformations and are defined in 
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EA 


ED 


NA 
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M> c M' 


Yes 


Yes 


Yes 


No 
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M' > e M 


Yes 


No 


No 


Yes 






Yes 


M ode M' 


Yes 


No 


No 


No 






Yes 


M < {C ,N P ,Ns) M ' 










Yes 


No 




M ' Mn P ,Ns) M 










No 


Yes 





Fig. 9. Simulation relations between Kripke structures under primitive transformations 



Sections 13.61 and 13.71 respectively. The temporal logic CTLb p also consists of backward temporal operators 
which can be interpreted by inverting the edges of a Kripke structure. The simulation relations for inverted 
Kripke structures can be identified similarly. 

We now prove the construction of simulation relations noted in Figure [9] for some representative trans- 
formations. Let the adjacency matrices of Kripke structures M and M' be A and A' respectively. 

Theorem 17. If C is the correspondence matrix of a node splitting transformation from M to M' then C 
is a bisimulation relation between M' and M, that is, M X c M'. 

Proof. The proof is derived in two steps: 

1. From Definition [TJ C ■ A ■ C — A' . From Lemma [TBI for all z £ B n , z = C ■ C ■ z. Hence, C is a simulation 
relation between M' and M, that is, M > c M'. 

2. We now show that C is a simulation relation between M and M', that is, M' >q M. 
(1) We prove that C ■ A' ■ C = A. 



c- 


A-C 




= A 1 






Definition [T] 


c- 


(C-A- 


C) 


= C 


A 1 




monotonic 


c- 


C-(A- 


C) 


= C 


A 1 




associative 


A ■ 


C 




= C 


A 1 




Lemma 1131 


(A 


■C)-C 




= C 


A 1 


■G 


monotonic 


A ■ 


(C-C) 




= c 


A 1 


■G 


associative 


A 






= c 


A 1 


■C 


Lemma [T3] 



(2) As a special case of Lemma [TSI z' < C ■ C ■ z'. 

□ 

Similarly, we can prove that a node merging transformation constructs a simulation relation between 
M' and M. However, it does not create a bisimulation relation between M and M' . Suppose nodes p and 
q are merged into a node p' and there are edges {p, r) and (q, s) . If r' and s' are the nodes corresponding 
to r and s then in the transformed Kripke structure, we have edges {p',r'} and (p',s') which correspond to 
edges (p,r), (q,r), (p, s), and (q,s) of the input Kripke structure. Thus, the transformed Kripke structure 
has edges which do not correspond to any edges in the input graph. 

Theorem 18. If C is the correspondence matrix of an edge addition transformation from M to M' then C 
is a simulation relation between M' and M i.e. M \>c M'. 
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Proof. (1) We prove that C- A ■ C < A'. 

A < A+E 

C-A < C ■ (A+E) 

CA-C < C ■ (A+E) ■ C 

CA-C < C-A- C+C -E-C = 



A' 



Definition [3] 
monotonic, C is a bijection 
monotonic 
distributive, Definition [3] 



(2) As a special case of Lemma [TBI z '= C ■ C ■ z. 



□ 



An edge addition transformation adds at least one new edge to the transformed Kripke structure. There- 
fore, C cannot be a bisimulation relation between M' and M. 

An edge deletion transformation deletes at least one edge from the input Kripke structure. Therefore C 
is a simulation relation relation M and M' . Clearly, C is not a bisimulation between M and M' . 

Theorem 19. If C is the correspondence matrix of a node addition transformation from M to M' and the 
relations Np and N$ are as defined in Definition[S]then the triple (C, Np, N$) is a one-step weak bisimulation 



relation between M' and M i.e. M -< 



(C,N P ,Ns) 



M' . 



Proof. Let E be the edges to be split and rj' be the set of new nodes in M'. The proof is derived as follows: 
(1) We prove that C A-C = (A'—C-Np-N s -C)+C-Np-N s -C. 



(C-A-C~C-E-C)+C-N P +N S -C 

CA-C-C-E-C 

(C-A-C-C-E-d)+C-E-C 

CA-C 

CA-C 



A' 

A'-C-Np-Ns-C 
(A'-C-Np~N s -C)+C-E-C 
(A'-C-N P -Ns-C)+C-E-C 
(A'-C-Np-Ns-C)+C-Np-N s -C 



(2) C-Np < A' and (3) N s -C < A'. 

(4) N s -l = Np-l = rf = l-C-1, (5) N P -C = 0, and (6) C-N s = 0. 

(7) As a special case of Lemma [TBI z — C-C-z. 

(8) From the nature of C, z'*r]' = C-C-(z'*r{). 

(9) From the nature of C, C-(z'*r/') = C-z' . 

(10) We prove that rf*(A'-rf+A'-rf) — as follows: 

r)'*A'-rf = r)'*((C-A-C-C-E-d)+C-N P +N s -C)-rii Definition M 

= rj'*C-N P -ri' Definition M 

= (l-C-l)*C-N P -rf Definition M 

< (1*C-1)*C-1 = 



Definition [5] 



E < A 
Definition [5] 



t/*^ 7 -?/ = rf*((C-A-C-C-E-C)+N P -C+C-N s )-rf Definition [5] 

= jf*C-Ns-r]' Definition [5] 

= (l-C-T)*C-N~ s -rf Definition M 

< (1*C-1)*C-1 = 

Hence, rf*(A' -rf+A'-rf) = 0. 



□ 



Similarly, we can show that if C is the correspondence matrix of a node deletion transformation from M 
to M 1 and the relations Np and N$ are as defined in Definition [6] then the triple (C, Np, N$) is a one-step 
weak bisimulation relation between M and M' i.e. M' Np Ns ^ M . 

The case of an isomorphic transformation is straightforward. 
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R-tp<tp' 


R-<p<<p' R-4<4' 


R ■ A ■ tp < A' ■ tp>' 


R ■ (fj,z. ip+(ip*A ■ z)) < fj,z'. $+(tp'*A' ■ z') 


(SR:EX) 


(SR:EU) 


R-tp<tp' R ■ i> < 4' 


R ■ tp < tp' 


R ■ (vz. 4+{0*A ■ z)) < vz'. 4'+{'p'* A ' ■ z') 


R ■ (vz. tp*A ■ z) < vz'. ip'*A' ■ z' 


(SR:EW) 


(SR:EG) 



Fig. 10. Correlations of existential future properties under a simulation relation M\>rM' 



7.3. Correlating temporal properties 

In this section, we prove correlations of temporal properties between Kripke structures that are related by 
various simulation relations. In Appendix we give boolean matrix algebraic semantics of CTLb p formulae. 
Some temporal operators are given fixed point semantics. Since Kripke structures can have different number 
of nodes, in Appendix [B] we define an ordering of functions defined over different vector spaces and prove 
relations between the least and greatest fixed points of such functions. For brevity, we consider correl ations of 
future temporal properties under simulation and weak bisimulation relations. We refer the reader to [Kan07] 
for the complete set of correlations and their proofs. 



7.3.1. Existential future properties 

The existential future CTLbp operators are EX, EU, EW, EF, and EG where EF is a special case of EU. 

Consider a simulation relation R between Kripke structures M and M'. For every edge in M, there is an 
edge in M' . Thus, we can correlate existential future properties between M and M'. The correlations are 
given in Figure [10] and their soundness is proved below. 

Theorem 20. If R is a simulation relation between Kripke structures M and M' i.e. M>rM' then the 
correlations between the future temporal properties given in Figure [TO] are sound. 

Proof. We first prove soundness of the rule SR:EX. 

R ■ (f < tp' given 

R-A-R-(R-p) < A' ■ tp 1 monotonia Definition HH 

R ■ A ■ (R ■ R ■ tp) < A' ■ ip' associative 

R ■ A ■ p < A' ■ ip' Definition [TH monotonic 

Note that the rules SR:EU, SR:EW, and SR:EG correlate fixed points of certain functions. To prove 
soundness of these rules, we use the following strategy. We first establish an ordering as per Definition l28l 
between the respective functions. We then use Lemmas [29l and [30l to correlate their fixed points. We demon- 
strate this strategy by proving soundness of the rule SR:EU. Let z be a boolean vector defined on M. 



R ■ z 


< 


R ■ z 




identity 


R- A-z 


< 


A'-(R- z) 


substitute [z/ tp, R 


z/tp'\ in SR:EX 


R-ip 


< 


<? 




given 


(R-<p)*(R-A-z) 


< 


ip'*(A' ■ (R-z)) 




monotonic 


R ■ (ip*A ■ z) 


< 


ip'*(A' - (R-z)) 




distributive 


R-4 


< 






given 


(R ■ 4)+ (R ■ (<P*A ■ z)) 


< 


4'+(<p'*A' ■ (R ■ 


2)) 


monotonic 


R ■ (4+(<p*A ■ z)) 


< 


if'+(<p'*A' ■ (R ■ 


^)) 


distribute 


Xz. ip+(ip*A ■ z) 




Xz'. $'+(<p'*A' 


z') 


Definition EH 


R ■ (fxz. if+(ip*A ■ z)) 


< 


iiz'. ijj'+(ip'*A' 


z>) 


Lemma [29 
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R ■ ip < tp' rf 


< </? 


R 


■ Lp < Lp' rj' < Lp' R • tp < tp' 




R-A-ip<A' 
(WB:EX) 


■<P' 


R, ■ (pz. 


tf+(<p*A ■ z)) < jiz' . xp'+(tp'*A' ■ z') 
(WB:EU) 


R-<p 


< ip' rj' < w 1 


R-tp<tp' 




R ■ ip < ip' rj' < ip' 


R ■ (vz. tf-{ 


-((p*A ■ z)) < vz' 
(WB:EW) 


. ip'+(ip'*A' ■ z') 


R 


■ {vz. Lf>*A ■ z) < vz' . Lp'*A' ■ z' 
(WB:EG) 



Fig. 11. Correlations of existential future properties under a weak bisimulation relation M^.^ RP ^M' 



□ 

Theorem 21. If (R,P,S) is a weak bisimulation between Kripke structures M and M' i.e. M^-^ ps)M' 

and rf = 1 — R- 1 is the set of internal nodes of M' then the correlations between future temporal properties 
given in Figure [TT] are sound. 



Proof. We first prove soundness of the rule WB:EX. 

S-(R-(p') < S-l = ?/ 

00 R ■ P ■ (S ■ R ■ Lp') < R-P-rf <A' -rf < A' 

The main derivation is as follows: 



(ii) 



R 
R 
R 
R 
R 



<fi 

A-R-(R-Lp) 
A - (R - R - ip) 

A ■ Lp 

A ■ 



< 
< 
< 
< 
< 



Lfl' 

{A' 
A' ■ 



+ R- P ■ S ■ R) -tp' 
tp' + R- P ■ S R- Lp' 



A' ■ Lp' + R- P ■ (S ■ R- Lp') 
A'-ip 



by definition 
monotonic, Definition 1161 given 



given 

Definition 1161 monotonic 
associative, distributive 
Definition 1161 monotonic, associative 
from (i) above 



Note that the rules WB:EU, WB:EW, and WB:EG correlate fixed points of certain functions. To prove 
soundness of these rules, we use the following strategy. Suppose the respective functions are / and /'. The 
functions arc interpreted over different Kripke structures M and M' which are related by a one-step weak 
bisimulation. Hence, M' consists of internal nodes. Function /' does not distinguish between visible and 
internal nodes of M' . We therefore construct a function g which is similar to /' but distinguishes between 
visible and internal nodes. We show that / and g are related by an ordering as per Definition 1281 We then 
correlate fixed points of / and g using Lemmas [55] and [3D1 Finally, we show that the required fixed point of 
g is smaller than the required fixed point of /'. We demonstrate this strategy by proving soundness of the 
rule WB:EU. For the rule WB:EU, let / = Xz. tf+{Lp*A ■ z) and /' = Xz' . ip'+((p'*A' ■ z'). 



R 


z 


< 


R ■ z 




identity 


R 


A-z 


< 


A' ■ (R- z) A 


- R ■ 


P-S-R-(R-z) from (ii) of Thm. [2H 


R 


A-z 


< 


A'-(R-z)^ 


-(R 


• P) ■ S ■ R ■ (R ■ z) associative 


R 


A-z 


< 


A' ■ (R - z) -\ 


-A' 


• S ■ R ■ (R ■ z) Def. [THl monotonic 


R 


A-z 


< 


A'-(R-z)i 


-A' 


• S ■ R ■ (1 * R ■ z) identity 


R 


A-z 


< 


A'-(R-z)^ 


-A' 


■ (S ■ R ■ T * S ■ R ■ R ■ z) distributive 


R 


A-z 


< 


A'-(R-z)^ 


-A' 


■ (rj' * (S ■ R) ■ R ■ z) Def. [T6l associative 


(i) R- 


A-z 


< 


A'-(R-z)^ 


-A' 


■ (rj' * A' ■ R ■ z) Def. [T6l monotonic 


R- 


(%f+(0*A ■ z)) 


< 


ip'+((p'*(A' 


R- 


z+A' ■ (rj'*A' ■ R ■ z))) monotonic 


(ii) Xz 


ip+(<p*A ■ z) 




Xz'.ip'+(ip'*(A' ■ 


z'+A' ■ (rf*A' ■ z'))) Def. [28] 


(Hi) R ■ 


(jiz.^+(ip*A ■ z)) 


< 


Hz"'.if'+((p'*(A' ■ 


g 

z'+A' ■ (rf*A' ■ z'))) Lemmas 
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R 


• R ■ z < z R ■ z — R ■ z K- ip < (p 


R ■ R 


z < z 


R ■ z = R ■ z R ■ ip<ip R ■ ip<ip 




R-A-tp < A' ■ (p' 


R 


(az. ?/H 


-((fi*A ■ 1)) < fiz'. ip'+((p'*A' ■ z') 




(SR:AX) 






(SR:AU) 


R-R- 


z < z R ■ z — R ■ z R ■ tp < ip' R 


■tp<tp' 


R-R 


• z < z R ■ z = R ■ z R ■ tp < ip' 


R 


■ (vz. ip+(tp*A ■ z)) < vz' . ip'+(tp'*A' 
(SR:AW) 


1') 


R 


(vz. ip*A ■ z) < vz' . (p'*A' ■ z' 
(SR:AG) 



Fig. 12. Correlations of universal future properties under a simulation relation M'>^M 



We now show that /iz'.g(z') < \lz' .ip'+^'^A' ■ z'). Let q' = /iz' .tp'+^^A' ■ z'). 

rj' < tp' given 

r]'*A' ■ q' < tp'*A' ■ q' < q' monotonic; Def. of q' 

A' ■ (r)'*A' ■ q') < A' ■ q' monotonic 

A' ■ q'+A' ■ (rf*A' ■ q') = A' ■ q' 

(iv) tp'+((p'*(A' ■ q'+A' ■ (rf*A' ■ q'))) = tf'+(tp'*A' ■ q') = q' monotonic; Def. of q' 

Thus, q' is a fixed point of g. Hence, /j,z'.g(z') < q' . From (Hi) and (iv), by transitivity, we get the following 
result: R ■ (fiz. ip+((p*A ■ zj) < [iz> ' . if'+(tp'*A' ■ z'). □ 



7.3.2. Universal future properties 

The universal future CTLbp operators are AX, AU, AW, AF, and AG where AF is a special case of AU. 

Consider a simulation relation R between Kripke structures M' and M where M'>^M. The set of outgoing 
edges of a node in M is a superset of the set of outgoining edges of a corresponding node in M' . Since M' is 
a Kripke structure, the set of outgoing edges for any node is non-empty. We can correlate universal future 
properties between M and M' . The correlations are given in Figure [T2] and their soundness is proved below. 



Theorem 22. If R is a simulation relation between Kripke structures M' and M i.e. M't>^M then the 
correlations between future temporal properties given in Figure are sound. 



Proof. We first determine the nature of the simulation relation from its definition and the premises common 
in the inference rules in Figure [TJ] 

From Definition [141 we know that z' < R ■ R ■ z' . Thus, R is total and possibly many-to-one or many-to- 
many. From (IH]), we know that R ■ z — R-z states that R is total but neither one-to-many nor many-to-many. 
From ([7]) , we know that R ■ R ■ z < z states that R is possibly not onto and neither one-to-many nor many- 
to-many. Thus, R is a total and either a one-to-one or a many-to-one relation. 

Further, from Definition [TU R ■ A' ■ R < A. Hence, the set of outgoing edges of a node in M is a superset 
of the set of outgoing edges of a corresponding node in M' . 
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The proof of the rule SR:AX is as follows: 



R 


■ 








< 


9' 








1' 










< 


R- 


<p = 


= R- 




R 


V 








< 


R- 


R- 


?< 




R 


A 1 


■R- 


(R- 


<?) 


< 


A- 








R 


A' 


■{R 


■ R ■ 




< 


A ■ 








R 


(R 


■A 1 


V) 




< 


R- 


(A 


■0) 




R 


R- 


{A' 


■<?) 




< 


R- 


A ■ 






A' 










< 


R- 


A ■ 






R ■ 


A- 








< 


A' 








R 


A ■ 









< 


A' 









given 
negation, given 
monotonicity, given 
Definition [HI monotonic 
associative 
Definition I14[ monotonic 
associative 
Definition [Til 
negation 
given 



The proof of the rule SR:AU is as follows: 
Let z be a boolean vector defined on M. 

R ■ z < R ■ z identity 



R-A-z < A'-(R-z) [z/tp,R ■ z/ip'} in Theorem H 

R ■ (p < ip' given 



{R ■ <p)*(R ■ A-z) < ip'*(A' ■ (R ■ z)) monotonic 
R ■ (0*A ■ ?) < ip'*(A' ■ (R ■ z)) distributive 

R ■ ip < ip' assumption 



monotonic 



(R ■ $)+ (R ■ {tp*A • ?)) < $+(<p'*A' ■ (R~l)) 

R • $+(<p*A •!)) < ip'+(ip'*A' ■ (R • I)) distributive 

(i) \z.ij)+((f*A-l) Q R Xz'. ip'+(tp'*A' ■ z') Definition [281 

R ■ (jjtz. $+(<p*A ■ I)) < fiz'. $+(<p'*A' ■ z') Lemma l29l 
The proofs of SR:AW and SR:AG can be derived similarly. □ 

Consider a one-step weak bisimulation M^<mp t s\M' where rf denotes the set of internal nodes in M' . 
The correlations between universal future properties of M and M 1 are given in Figure [T51 

We prove two supporting lemmas before giving the proof of soundness of the inference rules. 

Lemma 23. If M< {R ^ S) M' then R ■ R ■ z' < z' . 

Proof. From Definition [TBI R-z' — R-(z'*T]'). Multiply both sides by R. Again, from Definition [T6l R-R-z' — 
R - R- (z'*r)') = z'*r]'. Further, z'*rj' < z' . Hence, R- R- z' < z'. □ 

Lemma 24. If M<{r^p. S )M' then R ■ A' ■ R+R ■ R ■ P ■ S ■ R ■ R = R ■ (R ■ A ■ R) ■ R. 
Proof. 

(A'-RP-S-R)+RP-S-R = RAR Definition [TJ 

R-((A'-R-P-S-R)+R,P-S-R)-R = R-(R-A-R)-R monotonic 
R-A'-R+R R P S-R R = R{R-A-R)-R distributive, Definition [TB] 

□ 

Theorem 25. If (R,P,S) is a weak bisimulation between Kripke structures M and M' i.e. M^(r } p } s) 

M' 

and r\' = 1—R ■ 1 is the set of internal nodes of M' then the correlations between future temporal properties 
given in Figure [T3] are sound. 



A Logic for Correlating Temporal Properties across Program Transformations 



31 



R-z 1 < R-z' R-z* rf = R-z R-0 < tp 


7]' < If' 


R ■ A ■ < A ■ p' 
(WB:AX) 




R-z' < R-z' ~R~z*rJ' = R-~z R-0<<p' rj <<p' 


R-ijj<tp' 


R ■ (fiz. ip+(0*A ■ I)) < ijlz> '. tf'+(p'*A' 
(WB:AU) 


■1) 


R-z' < R-z' R-z*rf=R-z R-0<tp' rf<tp 


R-$<$ 


R ■ (vz. tJj+(0*A ■ z)) < vz'. $+((p'*A' 
(WB:AW) 


1') 


R-z' < R-z' Rl *rf = Rz R-(p < <p' 


rj' < p' 


R ■ (vz. p*A ■ z) < vz' . <p'*A' ■ z' 
(WB:AG) 



Fig. 13. Correlations of universal future properties under a weak bisimulation relation M^<i R P g\M' 



Proof. We first determine the nature of the relation R from the definition of weak bisimulation relations and 
the premises common in the rules of Figure 1131 

From Definition 1161 we know that z = R ■ R ■ z. Thus, R is onto but neither one-to-many nor many- 
to-many ref. (J7]). From ([7]), we know that R-z' < R ■ z' states that R is onto and possibly many-to-one or 

many-to-many. Further, R ■ z*rj' —R-z implies that R ■ z > R-z. From ([6]), we know that R - z > R-z 
states that R is not total and neither one-to-many nor many-to-many. Thus, R is partial, onto, and either 
one-to-one or many-to-one. 

Further, from Definition[H R A R= (A'-R ■ P-S ■ R)+R ■ P ■ S ■ R. Hence, for every edge (p, q) in M, 
in M' either (a) there is an edge (p' , q') where p' and p as q' and q are related by R or (b) a pair of adjacent 
edges (p', r') and (r', q') s.t. p' and p as well as q' and q are related by R and r' is a internal node. Similarly, 
for every edge or a pair of adjacent edges in M' there is an edge in M. 

The proof of the rule WB:AX is as follows: 



R 





< 


y' 








given 


'? 




< 


<? 








given 


R 


p + rf 


< 


V' 








monotonic, identity 


2 




< 


R 


* 


rf 


= R-0 


monotonic, given 


p' 


nf 


< 


R 








p' < rj' hence tp'*rj' = p' 


R 


(ip'*r]') 


< 


R 


R- 


= 


= 


monotonic, Definition 1161 


R 


A' -R-(R - (<p'*rf)) 


< 


R 


(R 


■A 


■R)-R-0 


Lemma [24l monotonic 


R 


A' (R-R- {<?*$)) 


< 


R 


R- 


A ■ 


(R-R-0) 


associative 


R 


A' ■ ((p'*rf) 


< 


R 


R- 


{A 


■0) 


Definition [TBI associative 


R 


A' ■ ~~p' 


< 


A 









Definition I16[ p'*rj' = ip' 


A 





< 


R 


A' 


7 1 


<R - A' ■ <p' 


negation, given 


R 


A ■ 


< 


R 


R- 


A' 




monotonic 


R 


A ■ 


< 


A' 


■7' 






Lemma 1231 
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The proof of the rule WB:AU is as follows: 



R-z * rf 
R-(~R~1* rf) 

(R-A'-R+R-R-P-S-R-R)-R-(R~1* rf) 
R-A'-R-R-(R~1* rJ')+R-R-P-S-R-R-R-(R~l * rf" 
R-A'-(~R~1* rf)+R-(R-P)-S-R-(R~l* rf) 
R-A'-(R~1 * rj')+R-(R-P)-S-R-(R~l * rf) 
R-A'-(R~1 * rj')+R-(R-P)-S-R-(T*(R~l * rf)) 
R-A'-(W1 * rf)+R-(R-P)-(S-M*S-R-(Rl? * rf] 
R-A'-(R^*ri')+R-(R-P)-(ry*(S-R)-(R^* rf)) 
R-A'-(P^*rf)*R-A'-(rf*A'-(Rl* rf)) 
R-A'-(Rl?*tf)*R-A / -(rJ'*A / -(R~l* rf)) 



R-R-A'-(~R~1* r}')*R-R-A'-(r)'*A'-(lM * rj')) 
A'-(W1* rf) * A'-(rf*A'-(Rl?*rf)) 
(i) A'-(rH* rf) * A'-(r]'*A'-(R^*Tf)) 



ip'+(ip'*A'-(R-z* rf) * A'-{q'*A'-(R-z * rf))) 
(ii) \z'.ij)'+((p'*A'-(z' * rf) * A'-(rf*A'-(z' * rf))) 

£ 

(Hi) ij,z'.ip'+(ip'*A'-(z' * rf) * A'-(rf*A'-(z' * rf))) 



= R-z 


given 


= R-R-l=l 


DefUl 


= R-RA-RR-1 


Lemma [M] 


= A-Z 


distributive, Def. [T6l 


< A-l 


assoc., Definition [T6l 


< A-l 


Definition [If)] 


< A-z 


identity 


) < A-l 


n 1 q1"T"i ni i iivp 

V_J.1l. Lrl_J.l_JU.Lrl Vlj 


< A-l 


Definition [T6l 


> A-l 


negation 


> A-z 


given 


> R-A-l 


mono., distributive 


> R-A-l 


Lemma 


> R-A-l 


Wl> R-l 


> R-(Tp+(ip*A-l)) 


monotonic 


^n\z.ip+((p*A-z) 


Definition E51 


> R-{p,z.ip+(Lp*A-z)) 


Lemma [29] 



We now show that fiz'.g(z') < jj,z' .ip'+(p'*A' ■ z'. Let q' = [iz 1 .-ip'+ip'*A' ■ z'. 





> 


if 1 * A' ■ q' 


Definition of q 


I 


< 


tp'+A' ■ q' 


negation 


q'*rj' 


< 


(rf'*ip')+(rf'*A' ■ q 1 ) 


monotonic 


q'*i]' 


< 


0+(r]'*A' ■ q') 


rf < f' 


q'*rj' 


< 


r]'*A' ■ (q'*r]') 


Definition [TBI 



Further, 



(q'*r]')+(q'*r]') 

(q'*rf)+(rf*A' ■ (q'*rf)) 

A' ■ (q'^+A 1 ■ (rf'*A' ■ (q'*rf)) 



A' ■ (q"'*i]') * A' ■ (rj'*A' ■ (q'*r]')) 



= Q_ 

> q> 

> A' ■ q' 

< A' ■ q> 



?/>'+(</ * A' ■ (q'*rj') * A' ■ (ri'*A' ■ (q'*r]'))) < rj) f +(ip' *A' ■ q') 

q' 



from (iv) 
monotonic 
negate; distribute 
monotonic 
Def. of q> 



lp'+(tp' * A' ■ (q'*r)') * A' ■ (r)'*A' ■ (q'*if))) < 
Thus, q' is a post-fixed point of g. Hence, [iz' .g(z') < q' . From (Hi) above, by transitivity, 



R ■ (fiz.ip+((f*A ■ z)) < iiz'.ip'+(tp'*A' ■ z') 
The proofs of WB:AW and WB:AG can be derived similarly. 



□ 
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8. Conclusions 

Program transformations are used routinely in many software development and maintenance activities. 
Temporal logics provide an expressive and powerful framework to specify program properties. In this paper, 
we have considered the problem of correlating temporal properties across program transformations. We have 
developed a logic called temporal transformation logic and presented inference rules for a comprehensive set 
of primitive program transformations. This formulation enables us to deductively verify soundness of program 
transformations when the soundness conditions of individual transformations can be captured as temporal 
logic formulae. In particular, we have considered its application to verification of compiler optimizations. 
We have made novel use of boolean matrix algebra in defining the transformation primitives and proving 
soundness of the inference rules of the logic. 

Future work involves applying the logic to verification problems arising in software engineering due to 
the use of program transformations. On the theoretical front, we plan to study completeness of the logic and 
its extension to CTL* and modal mu-calculus. The present formulations are applicable to intra-procedural 
temporal properties only. In the inter-proc edural fra mework, we need to consider more expressive models 



of programs like recursive state machines ABE + 05 or pushdown systems [RHS95 . For inter-procedural 



analysis, temporal logics have been extended with matching calls and returns (AEM04j . Extending the logic 
to inter-procedural setting is a challenging research direction. 
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A. Computational tree logic with branching past 

The syntax of CTL bp formulae is as follows: 

ip := T\±\p\-«p\(pD<p\(pV<p\<pA<p\ 

EX(cp) | EU(^) | BN{<p,<p) | EF(p) | EGfa) | 
EY(y>) I ES{<p,<p) | EP(p) | Er%) | 
AX(p) | MJ{<p,<p) | AW(p,<p) | AF(<p) | AG(y>) | 
AY(<p) | fiS(ip,ip) | AP {tp) | Ar%) 

where T and _L are special propositions denoting true and false values and p is an atomic proposition. 

CTLbp is interpreted over models with branching past and branching future. Future is infinite whereas 
past is finite. Models of CTLbp formulae are nodes of Kripke structures. For a formula tp and a node i of a 
Kripke structure M = (G, P, L), we write M, i \= tp to denote that the formula tp holds at the node i. With 
the boolean matrix algebraic semantics, M, i \= tp iff [0\ i = 1. 

Consider a valuation function V from CTLbp formulae to boolean vectors and denote V(<p) by tp. The 
valuation of an atomic proposition p is V(p) = L(p) = p. 

To define semantics of CTLbp operators, we require the notion of fixed points over boolean vector domains. 
Consider a complete lattice D = (B, <} where B = {0, 1} is a set of boolean values with a partial order < 1. 
A complete lattice D n = (£>„, <„} is a cartesian product of n D-lattices. Consider a monotonic function 
/ : D n — > D n . The least fixed point of / is denoted by \iz.f{z) and the greatest fixed point of / is denoted 
by vz.f(z). As a convention, we do not write the subscript of the partial order < when used for vectors. 



A Logic for Correlating Temporal Properties across Program Transformations 



35 



Definition 26. Consider a Kripke structure M. Let V(T) = 1, V(_L) = 0, and V{p) = p. 





A 
ZA 








negation 


V(<p D if)) 




+ 1p 






implication 


v(<p v V) 


/\ 


+ 1p 






disjunction 




/\ 


* 1p 






conjunction 


y(EXM) 


/\ 


A ■ 






Exists neXt 


y(EU(^,v)) 


A 


jJLZ. if) + (0 * 


A 


■1) 


Exists Until 


v(e\a%>,v>)) 


A 


VZ. if) + (0 * 


A 


■2) 


Exists Weak until 


y(EF(^)) 


A 


flZ. + (1 * 


A- 


2) 


Exists in Future 


V(EG(y))) 


A 


vz. * A ■ z 






Exists Globally 


F(AX(^)) 


A 


A ■ 






forAll neXt 


K(AU(^,V)) 


A 


jJLZ. if) + (0 * 


A 


■2) 


forAll Until 


y(AW(^,vO) 


A 


VZ. if) + (0 * 


A 




forAll Weak until 


^(AFM) 


A 


fJbZ. + (1 * 


A ■ 


2) 


forAll in Future 


V(AGfo>)) 


A 


vz. * A ■ z 






forAll Globally 



To define semantics of past operators, we consider the transpose of the adjacency matrix A which corre- 
sponds to the inverted edges of the Kripke structure. 



Definition 27. Consider a Kripke structure M. 



V(EY(<p)) 


A 


A ■ 




V(ES(ip,if))) 


A 


fiz. if) + (0 * A 


■2) 


V(EP(<p)) 


A 


fj,z. + (1 * A 




U(Eh%)) 


A 


vz. * A ■ z 




U(AYM) 


A 


A-0 — e 




U(AS(^,V)) 


A 


vz. if + (0 * ( 


A-z- 


V(AP( V )) 


A 


VZ. + (i * ^ 


A -J- 


U(Ah%)) 


A 


vz. * (A-z- 


-«1 



Exists Yesterday 
Exists Since 
Exists in Past 
Exists in History 
forAll Yesterday 
forAll Since 

forAll in Past 

forAll in History 



Since the entry node does not have any predecessors, an AY formula should not hold at the entry node 
denoted by vector e. Recall that in CTLb p , past is finite. Therefore, AS is defined as the greatest fixed point. 
The greatest fixed point subsumes the infinite paths of loops in the Kripke structure. However, since AY 
does not hold at the entry node, if) has to hold before or at the entry node. This gives the required finitary 
semantics to AS. 



B. Fixed points over different vector spaces 

Our aim is to define correlations between temporal formulae interpreted on different Kripke structures. 
The Kripke structures can have different number of nodes. Some temporal operators are given fixed point 
semantics. Therefore, to correlate such formulae we need a correlation between fixed points of functions over 
vector spaces of different sizes. 

Consider a complete lattice D n = (B n , < n , _L„, T n ) of boolean vectors of size n where _L„ = 0„ and 
T„ = 1„ are the top and bottom elements. Let D. m = (B m , < m , _L TO , T TO ) be another complete lattice of 
boolean vectors of size m. Let R be an (mxn) boolean matrix correlating elements of vectors in D m and 
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D n . Consider monotonic functions / : D n —> D n and /' : D m —> D m . We first define an ordering between / 
and /' with respect to R. 

Definition 28. / Q R f iff Vz E D n : R ■ f(z) < m f'(R ■ z) 

Recall that an (mxn) relation R can be seen as a function R : D n — > D m . We now determine the 
correlations between the least and the greatest fixed points of functions / and /' s.t. / \Z R f. 

Lemma 29. If / C fl /' then R ■ (^z.f(z)) < m nz'.f'(z'). 

Proof. By Kleene's fixed point theorem |Kle52] . fiz.f(z) = f a {L n ) for some a > 1 and nz'.f(z') = f h (± m ) 
for some b > 1. 

We first prove by induction that Vfc £ N : R ■ f k (± n ) < m f' k {Un)- 

Base case [k — I]: From Definition [28l i?-/(_L„) < m /'(i?-_L„). Since ± n = 0„ and _L m = m , i?-_L„ = _L m . 
Hence, R ■ /(_L n ) < m /'(± m ). 

Induction hypothesis [fc > I]: Let R ■ f k (± n ) <m f' k {^m)- 

Inductive case: From Definition R ■ f(f k (-L n )) < m f'(R ■ / fc (_L„)). From the induction hypothesis and 
monotonicity of /', f'(R-f k (± n )) < jn f'(f k (± m )) = f k+1 (± m ). Hence, by transitivity, R ■ f k +\t n ) < m f' k+1 ( 

Let /j,z.f(z) = /°(_L n ) and fiz'.f'(z') = f' b (L rn ) for a > 1 and b > 1. We consider all the relations 
between a and & and show that R ■ / a (± n ) < m f' b (± m ). 

Case [a < b}: From Part I, R ■ f a (J- n ) < m /'°(_L TO ). Since /' is monotonic, we know that Vfc 6 W : 
f fc (^ m ) <m f fc+1 a m ). Since a < 6, / ,a (± m ) < m / ,6 (± m ). Hence, by transitivity, i? • / Q (i_„) < m f b (i. m ). 

Case [a>b] : From Part I, i? • / a (_L„) < m / /a (-L m ). If /*(l m ) is the least fixed point, VZ > fc : f l {L m ) = 
/ ,fe (_L m ). Since /' fc (_L m ) is the least fixed point and a > b, f' a (L m ) — f' h (L m ). Hence, by substituting, 

fl.f(ln) < m /"(lm). " □ 

Similarly, we prove the correlation between greatest fixed points stated below. 
Lemma 30. If / C fl /' then R ■ {vz.f{z}) < m uz'.f'(z'). 



